ISO27001 – Information Security Standard

Hardly a week goes by without a news article saying that some data has been stolen/lost/accidently revealed.  The Standard is due to change later this year but businesses considering incorporating this standard should not wait for the new standard, but start on the process now.

Information is the lifeblood of all organisations and can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in films, or spoken in conversation.  The loss or exposure of this information can be really damaging. So do not delay!

The three main principles of any information security management system are:-

Confidentiality – making sure that private date stays private;

Integrity – making sure that data is protected from loss or alteration;

Availability – making sure that data is available when required.

 

Where do I Start?

 

Develop an information security policy and identify your organisation's key information assets. Purchase the standard, ISO/IEC ISO27001 and the Code of practice ISO/IEC 27002 to help you do this.

1. Carry out a risk assessment and build your ISMS. Training of key staff will help to ensure its successful implementation.
2. Once your management system is fully implemented you can get your system certificated to ISO27001 with one of the accredited certification bodies

 

What is ISO27001?

 

ISO27001 is an international standard setting out the requirements for an Information Security Management System. Using 27002, it helps identify, manage and minimise the range of threats to information.

• Security policy - This provides management direction and support for information security
• Organisation of information security - To help you manage information security within the organisation
• Asset management - To help you identify your assets and protect them as required
• Human resources security - To reduce the risks of human error, theft, fraud or misuse of facilities
• Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information
• Communications and operations management - To ensure the correct and secure operation of information processing facilities
• Access control - To control access to information systems
• Information systems acquisition, development and maintenance - To ensure that security is built into information systems
• Information security incident management – to react to security incidents or weaknesses
• Business continuity management - To deal with  interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
• Compliance- To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirements.

There will be a transitional period when the revised standard is issued, and businesses can choose to be assessed against the existing or new standards.   Once the transition period is completed (usually 12 months) then all businesses will have to comply with the new standard.