Content on this page:
ISO 27001 was released as the first standard in the ISO 27000-series of standards for information security or cybersecurity. It was first published in October 2005 and was revised in October 2013 to better accommodate the changing information security challenges. The current version is called ISO 27001:2013.
ISO 27001 is related to ISO 27002 which describes a "code of practice" (basically an instruction manual) surrounding what security measures an organisation can choose to introduce. 27002 was formerly known as ISO 17799 which was based on the British standard BS 7799-1. The current version is ISO 27002:2013.
Most organisations have several information security controls. However, if an organisation does not have an ISMS the controls may not be aligned with the business needs of the organisation. Complying with the ISO 27001 standard has a few benefits:
- Trust: It provides confidence and assurance to clients and trading partners that your organisation takes security serious. This can also be used to market your organisation.
- Efficiency: Control selection is performed as a part of an ongoing risk treatment process.
- Continual Improvement: ISO 27001 says you are to continually improve your organisations information security. It helps you to better determine the proper amount of security needed for your organisation. Not too few resources spent, not too many, but just the right amount.
Organisations can apply for certification in accordance with ISO 27001. It is not possible to be ISO 27002 certified because it doesn't have any demands as such.
A new version of ISO 27001 came out end of October 2013. Some interesting changes are:
- Increased flexibility in your choice of risk method
- Sharpened demands to the Information Security Management System context
- Demands to monitoring and measuring getting its own section
One of the governing elements in ISO 27001 is the requirement that information security be based on the actual risks to which the organisation is exposed. As a whole, this activity is known as risk management. Central to risk management is the risk assessment, i.e., the identification and analysis of the risks, and risk treatment - thus the execution of measures to counter risks. We have published a guide in which we describe the method that we recommend organisations use to manage risk.
In the new ISO 27001 (and in the old standard as well), a key document is the Statement of Applicability, the SoA. It's new that your SoA is so closely aligned with your risk treatment process. It's also new that your organisation is to appoint Risk Owners. The responsibility of a Risk Owner is to approve your risk treatment plan and your risk tolerance - sometimes referred to as risk appetite.
Your SoA describes what controls are part of your ISMS. It is a good thing that you have to justify both control inclusions and exclusions. As the SoA is or becomes such a central document in your ISMS, Neupart has produced a free guide on how to prepare and maintain your SoA most effectively.
Get your free copy of here
Efficiency and productivity are discussed in many contexts. In information security management, it also makes sense to ensure processes are working effectively. But how do you actually measure whether your information security is effective and whether it is developing in the right direction? Read more..
Neupart has prepared a guide for this purpose. The guide focuses on the ISMS metrics (Information Security Management System) that measures the value and effectiveness of the processes that make up your ISMS. This enables you to show changes over time, in order to e.g. report improvements and efficiency to management.