Companies require strong data security that can protect them against unauthorised access, cyber-attacks and data breaches. Weak data security can cause the loss of critical information. Data loss creates a poor customer experience and can harm the organisation’s reputation. The organisation’s ability to function is protected with the help of an Information Security Management System (ISMS).

Secure information also safeguards the organisation’s technological uses, helping the organisation safely collect, distribute and utilise data. As every organisation faces unique information security challenges, a generic security approach is not helpful. The International Organization for Standardization (ISO) 27001 attempts to solve this issue by providing companies with a flexible yet comprehensive guide to preparing an encompassing ISMS. In its information security standard, ISO 27001 outlines the applications of the ISMS, its boundaries and scope of activity. ISO Council help you to outlines the requirements of ISO 27001.

1. Scope of information security management

This part of the document allows organisations to outline the applications and the boundaries of the ISMS. Outlining the applicability involves describing the types of services or products that the organisation creates and where they are provided.

The establishment of boundaries also requires organisations to digest which component of their organisation will be subjected to the ISMS.

Boundaries can include processes, divisions, departments or even sites. In the majority of cases, the ISMS is applied to the entire organisation, but in certain circumstances, it may be impossible or inappropriate for the whole organisation to fall under the scope of the management system.

2. Information security policy and objectives

This portion of the standard describes the organisation’s goal to handle data. It outlines the organisation’s aim to comply with ethical obligations or legal regulations. The policy demonstrates the organisation’s desire to commit the continual improvement by describing the steps that would be undertaken to improve the security of data.

3. Risk assessment and risk treatment methodology

This part of the requirements of ISO 27001 allows organisations to identify risks in their information management system. Additionally, this part of the standard also allows organisations to develop an approach to mitigate those risks and address them when they occur. The ISO 27001 standard requires organisations to list the potential risks.

some examples of potential risks:

• Unauthorised access by an external party
• Unauthorised access by an employee
• In-advert sharing
• Incorrect storage
• Accidental loss
• Accidental destruction

The methodology should address how the organisation will identify the risks, how the potential consequences of the risk would be assessed and how its severity would be determined.

4. Statement of applicability

This section of the standard allows the organisation to choose information security controls. As information security controls have become common, organisations need to identify which specific control would be more suitable to them. It is important to outline why these controls apply to the individual circumstances, how these controls should be implemented and why other controls have been excluded.

5. Risk treatment plan

Once the organisation has established which control it has selected, the risk treatment plan will outline how the controls will be implemented, who is responsible for the implementation and evaluation, and what resources would be required.

6. Risk assessment and risk treatment report

This section of the standard focuses on the methodology outlined in the earlier section where the findings of the assessment would be described. Any identified risks and any treatment undertaken to mitigate those risks would be covered under this section.

7. Definition of security roles

This section will describe the tasks and responsibilities of each role associated with information security. Full job descriptions, sole responsibilities and tasks need to be included.

8. Inventory of assets

This section asks the organisation to document any assets that are utilised in data storage. Depending upon the organisation’s size, this is one of the larger tasks associated with ISO 27001 requirements. A comprehensive information security risk assessment needs to be conducted to identify all assets, including desktops, phones, laptops, and tablets used in the organisation.

9. Acceptable use of assets

As sensitive data is being handled by the assets identified in the previous section, it makes sense to establish acceptable usage terms. Establishing acceptable and appropriate usage helps temporary and permanent employees, and contractors understand how they are permitted to use the device to maintain information security.

some examples of acceptable usage:

• The usage of complex passwords
• not using assets for personal purposes
• not leaving assets unattended
• sensitive information being encrypted
• refraining from copying or transferring sensitive information

10. Access control policy

This section helps organisations ensure that only the appropriate individuals are granted access to sensitive information by identifying how an individual is deemed to warrant access to information, how access is granted and how access is reviewed or revoked.

11. Operating procedures for IT management

Risk assessment in software development, supplier management, customer management and financial accounting should be documented to reduce the likelihood of incidents. As good documentation serves as both a message and delivery mechanism, it is considered a prerequisite in the successful implementation of risk management.

12. Secure system engineering principles

This section describes how the organisation will apply and develop any new IT projects to the existing infrastructure. When creating these principles, one needs to account for accidents, malicious human behaviour, systematic failures and even natural disasters.

13. Supplier security policy

As suppliers have access to sensitive information that could be potentially exposed to destruction or theft, it makes sense to establish a policy regarding information security. This policy needs to be grounded in reality as an unfeasible one could damage the position of the organisation to larger suppliers. Working on a collaborative policy that fosters close working relationships with suppliers is necessary, but interventions for possible risks should be planned.

14. Incident management procedure

Documentation of the incident management makes it clear how the organisation will react to an information security threat or incident. The procedure should outline how the organisation would gather evidence following an incident, establish the circumstance surrounding the incident, ensure that any activities undertaken are recorded for later analysis, how the incident is raised with regulators and management figures and how weaknesses would be handled.