Information Security Standards
Information Security is a business requirement in today.s corporate world. These requirements are driven either by business need or by regulations. Many organizations find it difficult to derive a framework for defining the requirements. Publicly accepted, known Information Security Standards comes handy at this stage. There are many standards available and ISO27001 is an ISO accredited standard for Information Security Management.
What is ISO27001?
ISO 27001 is derived from the well-known BS7799 Standard. In 2005, BSI published the new version of BS7799 standard and is also adopted by ISO as ISO 27001 standard.
Why should you implement?
There are several reasons why an organization should implement ISO27001 standard and the primary one will be the business demand. Every one, who is dealing with you, need to keep there information secure. The ISO27001 certification confirms that there are certain level of protection is in place so as to protect the information / data handled.
ISO 27001 also works as a framework from where one can start the information security management initiative in your organization.
Steps involved in implementing ISO27001
There are different ways of implementing ISO27001 and exact steps may not be able to reproduce for another organization. The below given steps are from a high-level overview perspective. Details need to be defined for every organization and it will be unique for them.
- Define the scope of implementation
- Define the Corporate Information Security Policy / Statement
- Identification of Information Assets and classify them
- Define a Risk Assessment and management methodology and Identify the risks associated with each asset
- Map the ISO27001 controls which is applicable for mitigating the risks identified
- Document the Statement of applicability using the selected controls
- Define the associated policies, standards and procedures
- Communicate the policies and procedures to the entire organizations
- Implement the identified controls and document it.
- Perform Security Awareness training for the organization.
- Conduct periodic internal audits
- Engage a third party to do audits
- Proactively close the gaps identified during the audits
- Maintain matrices of the security practice to ensure continuous improvement
- Perform certification audit.
- Post certification tasks
The post certification is important for any organization. Unlike other certifications, ISO27001 requires you to undergo periodic surveillance audits and show continuous improvement on Information Security Management.
This requires organizations to perform continuous improvement in terms of security management. Perform periodic audits, report audit reports and close all the findings. This becomes a never ending cycle and continuous improvement need to be captured using matrices
This post is just a highlevel overview of implementing ISO 27001.