ISO 27001: 2013 – Information Security Management System (ISMS)

What is ISO 27001?

ISO 27001 is an internationally recognized structured methodology dedicated to information security and the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The ISO 27000-series comprises information security standards published jointly by the International Organisation for Standardization (ISO) and the International Electro technical Commission (IEC).

The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9001) and environmental protection (the ISO 14001).

The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organisations of all shapes and sizes. All organisations are encouraged to assess their information security risks, and then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming’s “plan-do-check-act” approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.

• The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
• The Do phase involves implementing and operating the controls.
• The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
• In the Act phase, changes are made where necessary to bring the ISMS back to peak performance

ISO 27000-series Published standards

• ISO 27000 Fundamental and Vocabulary
• ISO 27001 Information Security Management Requirements
• ISO 27002 Code of Practice
• ISO 27003 Implementation Guidance
• ISO 27004 Information security management measurements
• ISO 27005 Information security risk management
• ISO 27006 Requirements for certification bodies
• ISO 27007 Guidelines for Information security management systems auditing
• ISO TR 27008 Guidance for auditors on ISMS controls (focused on the information security controls)
• ISO 27010 ISM for inter-sector and inter-organizational communications
• ISO 27011 Information security management guidelines for telecommunications
• ISO 27013  Guideline on the integrated implementation of ISO 27001 and ISO/IEC 20000-1
• ISO 27014  Information security governance
• ISO TR 27015 Information security management guidelines for financial services
• ISO 27031 Business Continuity
• ISO 27032 Guidelines for cyber security
• ISO 27033 IT network security
• ISO 27034 Guidelines for application security
• ISO 27035  Information security incident management
• ISO 27036-3  Information security for supplier relationships Guidelines for information and communication technology supply chain security
• ISO 27037  Guidelines for identification, collection, acquisition and preservation of digital evidence
• ISO 27799 Security Management in Health
• Up to ISO 27059 Reserved for future standards

Structure of the ISO 27001: 2013

ISO 27001:2013 has the following sections:

• Introduction, the standard uses a process approach.
• Scope, it specifies generic ISMS requirements suitable for organisations of any type, size or nature.
• Normative references, only ISO 27000 is considered absolutely essential to users of 27001
• Terms and definitions, a brief, formalized glossary, soon to be superseded by ISO 27000.
• Context of the organisation, understanding the organisational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS.  Section 4.4 states very plainly that “The organisation shall establish, implement, maintain and continually improve” a compliant ISMS.
• Leadership, top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
• Planning outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.
• Support, adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
• Operation, a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
• Performance evaluation, monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.
• Improvement, address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS

Annex A Reference control objectives and controls, little more in fact than a list of titles of the control sections in ISO 27002.  The annex is ‘normative’, implying that certified organisations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information security risks.

ISO 27001 Certification around the world and in Australia

Certified compliance with ISO 27001 by an accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organisations that are concerned about the security of their information, and about information security throughout the supply chain or network.

Based on ISO survey 2013, more than 22,000 of ISO 27001 certificates have been issued all over the world. Out of these certificates, Australian share was only 140 certificates. However, based on the information security attacks and vulnerabilities reports which are published every year, we can see the need for Australian corporations to consider the ISO 27001 as the best practice. There should be some reasons why Australian rate of using ISO 27001 is so much lower than developed countries. Some of those reasons could be:

• Lack of awareness about ISO 27001
• Not realizing of information security importance
• Indirect relation between information security and organisations performance
• Lack of legislation requirements
• Financial crisis

How ISO Consulting Services can help you

Please fill out the Questionnaire or contact us if you need more details on how our expert team can assists you in training and developing a new or updating your current ISMS in compliance with ISO 27001:2013 standard.