ISO standards are tools that add value to all types of businesses. They contribute to improving the efficiency, security and quality of products and services. ISO standards also serve to make comparison between vendors easier and levels the playing field among different countries.
ISO 27001 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management. ISO/IEC 27001 is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard is a set of best practices for control objectives and controls in the following areas of information security management:
- Security Policy
- Organization of Information Security
- Asset Management
- Human Resources Security
- Physical And Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
Why ISO 27001 Matters
The ISO 27001 standards provides organizations with an international security and compliance framework that is verified by third party auditors. Many regulatory framework provide high level policies but no interpretation or guidance on implementation. ISO 27001 fills in those blanks by creating a specific and comprehensive framework of best practices. The control objectives and controls in ISO 27001 are intended to be implemented to meet the requirements identified by a risk assessment. ISO 27001 is designed to provide a platform and practical guideline for organizational security standards and security management practices.
ISO 27001 Implementation
Implementation of ISO 27001 includes the following phases:
- Define a ISMS policy that governs information security management
- Define the scope of the ISMS
- Perform a security risk assessment
- Manage the identified risk
- Select controls to be implemented and applied.
- Prepare an Statement of Applicability (SOA) that defines how the organization will implement its information security controls.