In 2005, the ISO released its first family of standards. Since then, periodic updates have been made to various policies. The most recent major changes to ISO 27001 were made in 2013. The ISO 27001 ownership is shared by the ISO and the International Electrotechnical Commission, a Swiss organization that focuses primarily upon electronic systems.
ISO 27001’s goal is to establish a set of standards that will guide modern organizations in how they manage information and data. ISO 27001’s key component is risk management. This ensures that companies and non-profits understand their strengths as well as weaknesses. ISO maturity is an indicator that a company can be trusted with data and is reliable.
All companies need to understand the importance and necessity of cyber security. However, simply setting up an IT security team within your organization will not guarantee data integrity. An ISMS is essential, especially for organizations that have multiple locations or countries. It covers all aspects of security.
Here are the requirements in sections 4-10:
Clause 4: Understanding the context is a prerequisite to successfully implementing an Information Security Management System. External and internal problems, as well the interests of interested parties, should be identified and taken into consideration. Although they might include regulatory issues, requirements can extend beyond that.
Clause 5: Leadership. The requirements for leadership in ISO 27001 are multiple. For a management system to work, the top management must commit. It is essential that objectives are set according to an organization’s strategic objectives. There are many other obligations that must be met, such as providing resources and supporting individuals to help with the ISMS.
Clause 6: Planning Planning Planning in an ISMS Environment should always consider risks and opportunities. The foundation for a sound information security risk analysis is the best. Information security objectives should therefore be based on this risk assessment. These objectives should align with the company’s overall goals. They should also be promoted within your company. These goals provide the security goals to be worked towards by everyone in the company and are consistent with the company’s objectives. Based on the control lists in Annex, a plan for risk treatment is developed from the information gathered during the risk assessment.
Clause 7 – Support is a key aspect of supporting the cause. It requires resources, competence, and awareness of employees. Communication is also important. Another requirement is to document information according to ISO 27001. The information must be documented and created. It also needs to be controlled. An appropriate set of documentation is required to ensure the ISMS’s success.
Clause 8: Operation- Information security must be implemented using these processes. These processes require planning, implementation, and control. We have already learned that top management should be thinking about risk assessment, and how to treat it.
Clause 9: Performance evaluation- The ISO 27001 standards require monitoring, measurement, and analysis of the Information Security Management System. Internal audits must be performed in addition to the department checking on its own work. The ISMS of the organization must be reviewed at regular intervals by top management.
Clause 10: Improvement- Following up on an evaluation, improvements are made. It is essential to correct nonconformities and take steps to eliminate them. Moreover, a continuous improvement cycle should be implemented. The PDCA (Plan-Do-Check-Act), is no longer mandatory. However, the PDCA cycles are often recommended as they offer a solid structure and meet the requirements of ISO 27001.