What is ISO27001?
ISO 27001 (Information Security Management System) is the primary internationally recognised certification that will give both you and your customers’ confidence in your company’s security and ability to handle and process customer and your own internal data in a secure manner. ISO 27001 lays down the requirements for a secure information system that applies adequate and proportionate security controls that provide confidence to “interested parties”.
Designing an effective ISMS requires “the selection of adequate and proportionate security controls that protect information assets and gives confidence to interested parties” (ISO 27001:2005 Element 1.1). We follow the best practices identified in ISO 17799 / ISO 27002, where appropriate, to ensure an effective ISMS is implemented. Where appropriate, we also use best practice included in other standards such as BS 25999 (Business Continuity Management) when addressing ISO 27001 requirements.
Components of ISO27001
ISO 27001 can be seen as a means of protecting:
> Confidentiality - Assurance that information is accessible only to authorised persons and systems. Sensitive information must be protected from unauthorised access, interception or publication.
> Integrity - Maintaining the accuracy and completeness of information and processes. Ensuring that information is correct and uncontaminated.
> Availability - Ensuring that information and services are available to authorised users and systems in a suitable format when needed.
KOMS 17 consultants assist companies in identifying the “Business Case” for the ISMS. Clear understanding of this by client senior management assists in identifying a suitable boundary and scope for the ISMS ensuring it meets the needs of “Interested Parties”. Regular review of the business case assists in ensuring an effective ISMS is maintained.
Risk Management
Risk identification and mitigation forms the basis of effective risk management. It is essential when preparing for assessing risks that a systematic approach is taken. This ensures that another person performing the same risk assessment reaches the same conclusion.
KOMS 17 implements a ‘Semi-Quantitative’ approach when assessing risks. Our solution, while simple, has been shown to be effective and appreciated by our clients. We see competitor tools implemented in companies that are so complicated that specialist knowledge, and cost, are required as to how to use their tool.
Statement of Applicability
The Statement of Applicability (SOA) details the controls applied to manage the risks identified during the risk assessment based on the requirement of ISO 27001 Annex “A”.
Consideration also needs to be given to industry specific standards and statutory and regulatory requirements such as PCI (Payment Card Industry) and Data Protection Authority requirements.
ISO 27001 contains a number of control objectives and controls. These include:
- ISO 27000 – principles and vocabulary
- ISO 27001 – ISMS requirements (BS7799 – Part 2)
- ISO 27002 – best practice guidelines for information security
- ISO 27003 – ISMS Implementation guidelines
- ISO 27004 – ISMS Metrics and measurement
- ISO 27005 – ISMS Risk Management
- ISO 27006 – Requirements for bodies providing audit and certification of an ISMS
IS0 27007 to ISO 27010 -allocation for future use
