Dynamic Strategies

Without continual growth and progress, such words as improvement, achievement, and success have no meaning. - Benjamin Franklin

ISO/IEC 27001:2013 - Information Security

Abstract

ISO/IEC 27001:2013 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

IEC / ISO 27001

IEC / ISO 27001:2013

ISO/IEC 27001:2013 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

ISO/IEC 27001:2013 is intended to be suitable for several different types of use, including the following:

Overview

Information is critical to the operation and perhaps even the survival of your organization. Being certified to ISO/IEC 27001 will help you to manage and protect your valuable information assets.

ISO/IEC 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls.

Who is it relevant to?

ISO/IEC 27001 is suitable for any organization, large or small, in any sector or part of the world. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.

Benefits:

Certifying your ISMS against ISO/IEC 27001 can bring the following benefits to your organization:

Note: these benefits are not realized by organizations who simply comply with ISO/IEC 27001 or the recommendations in the Code of Practice standard, ISO/IEC 17799.

Implementation of ISO 27001 certification

ISMS Consulting & Training

If you are wondering where you start with ISO 27001 implementation, the ISO 27001 standard defines a 6 stage process which is closely related to the iterative PDCA approach mentioned earlier. The Plan-Do-Check-Act is in quotes a type of a mindset that the company has to acquire to effectively live; it says how to live. The 6 stage process describes what it is the company needs to do to live the ISO 27001 standard.

  • Define an information Security Policy.

  • Define scope of the Information Security Management System (ISMS).

  • Perform a security risk assessment.

  • Manage the identified risk.

  • Select controls to be implemented and applied.

  • Prepare a Statement of Applicability (SoA).

Services

Benefits of ISO 27001 certification

A robust audit and certification scheme supports the ISO 27001 standard. ISO 27001 certification is expensive and can take a lot of effort and time, but it also provides many valuable benefits which at the end positively affect your bottom line.

ISO 27001 certification can help you to:

  • Map your corporate information system structure (infrastructure, buildings, cabling, environment, alarms, fire and flood prevention, access control, and others),

  • Make existing processes more effective or create missing processes (e.g. process for revoking access to employees leaving your company),

  • Acknowledge security risks (e.g. only one person has access to critical systems),

  • Start active and effective protection against risks (e.g. power surge or power outage protection),

  • Protect vital business assets (e.g. backup of accounting database),

  • Design ongoing system optimization (e.g. ongoing security audit),

  • Maintain lower information technology costs (e.g. managed software patches implementation),

  • Create competitive advantage (e.g. improved credibility for your partners and clients),

  • Improve your business (e.g. potential data exchange with your clients, ability to apply for government contracts, some major corporations prefer suppliers that can prove they meet best-practice standards, investors and share holders often call for information security),

  • Reduce insurance premiums (e.g. insurance premiums can be reduced if you can prove compliance),

  • Reduce the potential for law suits (e.g. avoiding customer information being stolen or misused).