What is ISO 27001?
ISO 27001 is an international standards document for information security management, created by the ISO (the International Organization for Standardization) body. The document is designed to provide requirements and guidelines for initialising information security standards within an organisation, and maintaining these standards over the lifespan of a system. ISO 27001 is designed so that it is applicable regardless of company size, with recommendations being influenced by a company’s needs. It aims to ensure that data is confidential, integrity is maintained, and that it is available when needed. It also provides a risk management framework to help organisations to understand their risks.
As the ISO 27001 document is a standard, it allows for both internal and external reviews in to the security management practices of a company to be undertaken. Various companies offer auditing and certification in ISO 27001 practices. The currently in use version was created in 2013, with minor changes having been made since then.
ISO 27001 calls upon companies to examine various areas of their businesses. These areas are all equally important to ensure a secure solution.
1: Context of the organisation
The organisation needs to understand the unique risks that it may face due to the domain worked within, as well as the generic ones. It also needs to be established what data needs to be stored, and who needs to access it. For example, a company that holds customer data within the UK would need to be compliant with GDPR. In addition to this, it may hold government data that requires security clearances to be accessed. These two types of data will need to be accessed by different people, in different ways. These two types of data may attract interest from different adversaries, and so one may require higher levels of security than the other.
It is important that leadership be completely on board with security policy to help create a culture of security within an organisation. This comes not only from ensuring compliance to guidelines, but by promoting security (and its continual improvement) within the company.
ISO 27001 calls for the explicit creation of not only security policy, but also for the assignment of responsibility and authority for security matters. This should all be recorded on paper so that there is no question of who should be carrying out which security related tasks.
It is important that when planning the creation of an information security management system that a company is cognisant of the unique threats that it may face, as considered earlier within the document. The company needs to plan not only how to address these threats, but how to evaluate the risks involved. ISO 27001 calls on a company to attempt to quantify the risks that it faces (in terms of probability and potential for damage), how the risks may be addressed (also in terms of cost), and decide on their particular risk appetite. Again, it is important that this all be documented, and risk ownership be assigned.
For example, a company may decide that it is likely that a specific area of their system will be targeted, and that the compromise of such information could have large financial implications. They may choose to then concentrate efforts on securing this area over other areas which are less likely to be compromised.
Companies should determine the required resources for all stages of an information security management systems lifespan, from inception to continual improvement. This includes staff allocation and training levels. It should also be considered at this point how to raise awareness of the new security policies within an organisation, including how they should be communicated (and to whom).
Support for relevant documentation should also be provisioned for. The information security management system document should be continually updated and improved upon. It needs to be ensured that the documentation is continually reviewed, and is presented/stored in an appropriate manner.
The company needs to implement all of the practices planned for. Process should be in place to keep the documentation up to date, and how change within the security field (and even the organisation) should be managed. Future security risk assessments should be decided upon, with testing intervals planned for. What actions to take in the event that regular testing discovers an issue should also be planned for.
6: Performance evaluation
The information security management system’s performance should be continuously evaluated to assure its effectiveness. The organisation should set out what metrics need to be measured to evaluate security, and which tools should be used. Monitoring of security systems should be planned for, including who will be responsible for the monitoring and how results should be analysed and evaluated.
Internal audits should be conducted on all aspects of the information security management system at planned intervals. These should check that the implemented system meets the standards set out in the plan, as well as international standards. It is important that management reviews the outputs of internal security audits, so that changes can be made if required.
In the event that a nonconformity occurs, the organisation should be able to handle it. This includes reacting to it, evaluating why it occurred, and reviewing effectiveness of any changes to be made. This process should all be documented for future reference. Continual improvement should also be used to ensure that the information security management system is as effective as possible, not just in response to incidents.