ISO 27001:2013; Information Security Management System
The latest version of ISO/IEC 27001 — Information security management (ISO 27001) can be traced back to the User’s code of practice and the Vendor’s code of practice, which became later known as the Green Books, the first codes of good security practice ever to be published, in 1989 by the Commercial Computer Security Centre (CCSC), a division of the United Kingdom’s Department of Trade and Industry (DTI).
Later in 1995, using some sections of the Green Books, the British Standard Institution (BSI ) published the first part of the BSI 7799 standard for IT security. The second part, which focused on how to implement an information security management system (ISMS), was published several years later in 1999, until it was revised again in 2005, jointly this time by The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) who gave it the name ISO/IEC 17799:2005. stay with us on Edara systems.
ISO 27001 framework; BSI 7799
Today, the internationally recognised ISO 27001:2013, which includes the revisions made in 2017, is the most current version of the international standard for information security and one of the most popular standards for information security in the world. It sets out the specification for an information security management system (ISMS). It is part of the ISO 27000 latest version of information security standards, designed to help organisations protect intellectual property and keep information assets secure, and is considered the best-practice information security standard available.
Through its best-practice approach centred around people, processes and technology, the ISO 27001 framework world-recognised consists of helping organisations with the establishment, implementation, operation, monitoring, reviewal, maintenance and continual improvement of an ISMS, so that it remains up-to-date with the latest in information security best practice.
What is ISMS? Two main parts of ISO 27001:2013
The first part consists of the requirements definition, whereas the second part, Annex A security controls, relates to controls and control domains.
- The first part of ISO 27001:2013, Sections 1 through 3, comes in the form of rules and guidelines based on the security requirements which describe the standard scope, how the document is referenced, and provide an explanation of the terms and definitions. At this stage, the context of the organisation including scope and stakeholder expectations needs to be clearly defined by management. Management and policy, risk assessment planning, and resource management also need to be identified to ensure proper monitoring (evaluation measurement), operational planning and control (operation), and corrective actions (improvement) measures are put in place.
- The second or practical part, Sections 4 to 9, which is actually the information security requirements part of the ISO 27001:2013 standard, consists of the controls and control domains and encompasses the mechanisms and countermeasures implemented to support the execution of projected information security policies. The controls categorised under each control objective are high-level and can be classified as different features, such as physical, technical or human resource. It also includes all the security manuals, standards, and procedures, as well as records. For more information you can read about ISO 27001 benefits too.
What is “Annex A” concept in ISO 27001 (BSI 7799) ?
Annex A’s 114 controls which provide a comprehensive list of suitable solutions for defining essential countermeasures applicable to any organisation are broken down into 14 groups based on the commonalties of their objectives which are further segmented into 35 control categories. The 14 control domain groups are as follows:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
If you are interested to know about ISMS and how much does ISO 27001 certification cost we suggest you to read the related article.
What is implementation’s role ISO 27001:2013?
A majority of control domains come with distinct subdomains to further explain the relevant controls and provide specific details. That is the reason why ISO 27001 requirements checklist is very important. The central focus of an ISO 27001:2013 implementation is divided among the following areas:
- Asset classification
- Personnel security
- Access control
Any organisation that uses information technology has at least one or two information security controls in some shape or form. Unfortunately, without an information security management system (ISMS), controls are just not being utilised to their full potential because they tend to be used on a per-need basis, as a punctual solution to a specific problem, and not part of a whole and cohesive system. Also, the typical security control today addresses Information Technology (IT) information assets only, leaving non-IT information assets, like paperwork for example, unprotected. For being acquainted with ISO 27001 audit process click on the related link.
ISO 27001: 2013’s revolution till today
ISO 27001:2013’s revolutionary holistic approach to information security was developed to include much more than just IT and with an objective of helping organisations improve the security of their information and reduce the risk of business disruptions due to both IT and non-IT related information security breaches. ISO 14001 audit makes sure your organization is taking the necessary steps to meet the ISO standard
Organisations of all shapes and sizes, regardless of the industry they operate in, are advised to pro-actively adopt a preventive, protective, preparatory, and mitigation approach for identifying and managing threats and vulnerabilities of sensitive information assets. In the world we live in, it is no longer sufficient to elaborate a response plan and use it when required. Today, leading organisations are adopting more adaptive and proactive methods to attempt to prevent such incidents from happening in the first place.