ISO 27001:2005/ISO 27000:2018
Introduction
The rising value of information to organizations combined with recent high profile information security breaches, are highlighting the ever mounting requirement for organizations to protect their information. In order to ensure the continuity of your operations and the safety of your data and systems, the security of information systems and critical business information must be constantly and actively managed.
Unprotected systems are vulnerable to many threats, including computer-assisted fraud, sabotage and viruses. These threats can be internal or external, accidental or malicious. Breaches in information security can allow vital information to be accessed, stolen, corrupted or lost. It is crucial that every company institutes appropriate controls and procedures in place to avoid such incidents.
The internationally recognized information security management system ISO 27001 (known as ISO/IEC 27001) is suitable for any organization, large or small, in any sector or part of the world where managing sensitive company information and keeping it secure from outsiders is important. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.
Background
The 2013 standard puts more emphasis on measuring and evaluating how well an organization’s ISMS is performing and there is a new section on outsourcing, which reflects the fact that many organizations rely on third parties to provide some aspects of IT. More focus is on the organizational context of information security and risk assessment has changed. Overall, 27001:2013 is designed to fit better alongside other management standards such as ISO 9001, ISO 14001 and ISO/IEC 20000 and the structure has more in common with other standards.
The IT department is the main focus of ISO 27001 implementation, but the standard involves areas in the entire company as well. The main driver, sponsor, and promoter of the change must be the company’s management, while its IT is mainly responsible for its execution. In addition to management and IT, the departments that must be involved include HR, Training and Education, Building Security, Building Maintenance, Legal Department as well as suppliers, outsourcing and, last but not least, employees.
ISO 27001 is also highly effective for organizations that manage information on behalf of others, such as IT outsourcing companies. This standard requires an organization to assure customers that their information is being protected.
ISO 27001:2013 looks very different to ISO 27001:2005. There are no duplicate requirements, and the requirements are phrased in a way, which allows greater freedom of choice on how to implement them. A good example of this is that the identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks. The standard now makes it clearer that controls are not to be selected from Annex A, but are determined through the process of risk treatment. Nevertheless, Annex A continues to serve as a cross-check to help ensure that no necessary controls have been overlooked.
ISO 27001 helps the organization to:
Analyze risks related to information security
Define specific and optimal security goals (the standard requires a company to specify its own security goals which an auditor verifies)
Define defined and documented methods which all activities should follow
Document all risks, goals, and methods
Implement measures to mitigate and manage risks
Assign accountability for risk management
Measure information security
Embed continuous improvement approach
What Certification Does?
Demonstrates the integrity of your data and systems and your commitment to information security
Transforms the organization’s culture both internally and externally
Allows enforcing information security and reducing the possible risk of fraud, information loss and disclosure
Demonstrates the independent assurance of your internal controls
Meets corporate governance and business continuity requirements
Independently demonstrates that applicable laws and regulations are observed
Provides a competitive edge
Meets contractual requirements
Demonstrates to your customers that the security of their information is paramount
Verifies that your organizational risks are properly identified, assessed and managed, while formalizing information security processes, procedures and documentation
Benefits
Enhances the credibility of your organization
Opens up new business opportunities with security conscious customers
Improves employee ethics
Strengthens the climate of confidentiality throughout the workplace
Provides a competitive advantage over companies that aren’t certified against ISO/IEC 27001:2005
Reduces the risks associated with unsecured data and information
Formalizes your corporate information system structure (infrastructure, buildings, cabling, environment, alarms, fire and flood prevention, access control, etc.)
Effectively organizes all existing and necessary company IT security processes
Protects vital business assets with regular backups
Provides design of ongoing system optimization
Potentially reduces insurance premiums with proven compliance
Reduces the potential for law suits
GRS Certifications Services
Certification – We provide assessment and certification to ISO 27001.
Gap Analysis – We offer gap analysis and preliminary assessments to prepare you for certification.
Training – We will help you interpret the new concepts and understand the changes. GRS Certifications provides on-site introduction and internal audit training which will prepare you and your staff prior to and after the ISO 27001 certification process.