What iso standard applies to information security management controls?
In this article, we will explore how ISO 27001 (or the ISO/IEC 27001:2013 standard) can be used to provide requirements with regards to establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). An ISMS is a systematic approach to managing an organization’s crown jewels (e.g. valuable assets and data) and sensitive information so that they remain secure by applying a risk management approachapplying a risk management approach. Further, there are three main security goals of ISMS for an organization: Show
The ISMS is related to the two major sections of the standard, as follows: RequirementsThe requirements section of the standard describes the necessary characteristics for an organization to properly manage its ISMS. The requirements section consists of eleven short clauses 0 - 10. Clauses 0 - 3 (Introduction, Scope, Normative References and Terms and Definitions) describe the ISO 27001 standard and clauses, while clauses 4 - 10 set the mandatory requirements for an ISMS, which must be implemented for an organization to be compliant with the standard. The standard takes a risk management approach to protect the information security of an organization. Risk assessment is doneRisk assessment is done to find out potential risks to information and then risk treatment is done to address them through security controls. The security controls used to address risk are in the form of policies, procedures and technical controls to secure assets. The following are mandatory requirements for an ISMS:
Security Controls (Annex A)The Annex A or the controls section of ISO 27001 contains a set of 114 security controls or safeguards of industry standard grouped into 14 sections, organized in the following categories:
Becoming ISO/IEC 27001:2013 Compliant: Who, When, Where, Why, HowWho: ISO/IEC 27001:2013 is suitable for an organization that wants to improve their information security management system using the widely known information security leading practices standard and gets the mandatory security assurance. When: An organization can implement and get certified on ISO/IEC 27001:2013 anytime, but it is not mandatory. The organization may choose to implement the standard first and get certified later when the organization is compelled by regulations or when the organization wants to increase trust among customers and clients, giving extended security assurance. Where: The standard can be adopted and implemented in any organization regardless of its size, type, nature, private or state owned, profit or non profit. Why: ISO/IEC 27001:2013 will benefit organizations by implementing security in a comprehensive manner. It helps organizations comply with legal requirements, achieve marketing advantage by reassuring customers about security, lower costs by preventing incidents, and be better organized by defining processes and procedures for a coordinated approach to information securitydefining processes and procedures for a coordinated approach to information security. How: An organization that wants to improve its security management system using ISO/IEC 27001:2013 as its standard would undergo the following activities:
What are the ISO standards for information security?ISO/IEC 27001:2013 is the international standard for information security. It sets out the specification for an information security management system (ISMS). ISO 27001's best-practice approach helps organisations manage their information security by addressing people, processes, and technology.
What is the standard ISO 27001 2013 used for?ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
Is ISO 9001 the same as ISO 27001?The difference is that ISO 9001 requires products and services to be considered, and ISO 27001 requires consideration of interfaces and dependencies between the processes when defining the scope. The requirements are exactly the same, each system must be established, implemented, documented, and continually improved.
What is the ISO 27002 standard?What is ISO 27002? ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement. These controls are listed in Annex A of ISO 27001, which is what you'll often see information security experts refer to when discussing information security controls.
|