Information is the lifeblood of all organisations and can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in films, or spoken in conversation.
In today's competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious. With the increased use of new technology to store, transmit, and retrieve information, we have all opened ourselves up to increased numbers and types of threats.
There is a need to establish a comprehensive Information Security Policy within all organisations. You need to ensure the confidentiality, integrity, and availability of both vital corporate information and customer information. The standard for Information Security Management System (ISMS) ISO27001, has fast become one of the world's established biggest sellers.
What is an Information Security Management System?
An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. BSI has published a code of practice for these systems, ISO/IEC 17799, which is now being adopted internationally.
Where do I Start?
Develop an information security policy and identify your organisation's key information assets. Purchase the standard, ISO/IEC 17799 & ISO27001 to help you do this.
- Carry out a risk assessment and build your ISMS. Training of key staff will help to ensure its successful implementation.
- Once your management system is fully implemented you can register to ISO27001 with one of the accredited certification bodies
What is ISO27001?
ISO27001 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimise the range of threats to which information is regularly subjected.
- Annex A of BS 7799 identifies 10 controls:
Security policy - This provides management direction and support for information security
- Organisation of assets and resources - To help you manage information security within the organisation
- Asset classification and control - To help you identify your assets and appropriately protect them
- Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
- Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information
- Communications and operations management - To ensure the correct and secure operation of information processing facilities
- Access control - To control access to information
- Systems development and maintenance - To ensure that security is built into information systems
- Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
- Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirements.