As the risks associated with cyber attacks and data breaches continue to increase, information security has become a critical issue for every business.
IS027001 is the international standard that provides the specification for an Information Security Management System, also known as an ISMS. An ISMS is a systematic approach consisting of people, processes, and technology that supports your business by protecting and managing all your information through a risk management process.
As the mainstay of the 27000 series, ISO27001 provides a globally recognised framework for structuring best security practice management. These standards help organisations keep information assets secure by offering a set of specification, codes, conducts and best practice guidelines to ensure strong information security management.
However, it is important to note that ISO 27001 will only provide the specification of an effective ISMS whereas 27002 will provide the code of conduct, guidance, and best practices to effectively implement your ISMS.
An ISMS, particularly one that confirms to ISO 27001, can help organisations complying with laws, such as GDPR, or the Network and Information Systems Regulations, also known as the NIS Regulations.
ISO 27001 focuses on protecting 3 key aspects of information -
Confidentially - Separating information into various collections that are organised by who needs access to the information and how sensitive that information actually is.
Integrity
– Protecting data from deletion or modification from any unauthorised party, and when an authorised person makes a change that should not have been made, the damage can be reversed.
Availability - Authentication mechanisms, access channels and systems all have to work properly for the information they protect and ensure it's available when it is needed.
Effective cyber security is a journey rather than a destination. This is a picture that the ISO 27001 standard paints
- Jon Coss, JC Cyber Security Services
ISO 27001 is one of the most recognised information security standards in the world. The standards in place are there to support organisations managing their security posture in a consistent and cost-effective way - it’s technology and vendor neutral while being applicable to all organisations, regardless of size, type, or nature.
As certification with ISO 27001 is not mandatory - not all organisations may choose to achieve it. However, there are many benefits to becoming certified:
Organisations are instructed to compare the controls they currently have in place, with the best-practice controls provided in ‘Annex A’ to determine their current security posture. Any identified controls that are missing can then be implemented or improved to ensure ISO 27001 criteria is met. Complying allows your organisation to apply for certification. If certain controls within Annex A do not seem applicable to your business, and you are looking to become ISO 27001 certified, you must document the reason to why you believe they are not applicable.
There are 114 best-practice controls in Annex A that are split in to 14 categories. We will briefly describe these 14 categories.
Annex A.5 – Information security policies
Annex A.6 – Organisation of information security
Annex A.7 – Human resource security
Annex A.8 – Asset management
Annex A.9 – Access control
Annex A.10 – Cryptography
Annex A.11 – Physical and environmental security
Annex A.12 – Operation Security
Annex A.13 – Communications security
Annex A.14 – System acquisition, development, and maintenance
Annex A.15 – Supplier relationships
Annex A.16 – Information security incident management
Annex A.17 – Information security aspects of business continuity management
Annex A.18 – Compliance
Only A quarter of large businesses (24%) adhere to ISO 27001
- Department for Digital, Culture, Media and Sport
It is important to ensure business continuity – ensuring a hassle-free transition can be extremely beneficial for your organisation. However, not implementing controls correctly can have major implications in the future, so it is important to get it right the first time around.
If you’d like a helping hand with becoming ISO 27001 compliant, we at JC Cyber Security Services are happy to guide you through the process, and instruct the best method of implementation, specifically tailored to your business needs and requirements. Not only are we happy to advise, but we are also able to help implement systems that have been identified to be missing or weak.
Once you have met the various requirements requested by ISO 27001, the next step is to seek certification. Certification is the procedure where an external certification body provides written assurance that an organisations ISMS confirms to the requirements of ISO 27001. The process involves going through a certification audit: where an expert from a certification body visits your business to examine your ISMS. If they are satisfied, they will award a certificate.
You might also like
Mon - Sun 24 Hours
All Rights Reserved | JC Cyber Security Services