What does ISO 27001 do?

ISO 27001 is a specification for an Information Security Management System (ISMS). Essentially, the ISMS is a framework of policies and procedures that include all technical, physical and legal controls involved in an organisation’s information risk management processes. According to its documentation, the standard was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving,” the effectiveness of an ISMS.

The ISO 27001 utilises a top down, risk-based approach to achieve technological neutrality. The specifications of the standard describes a six part planning process, that begins by defining a security policy going on to define the scope of the ISMS. After defining the scope of the ISMS, the organisation should conduct a risk assessment to manage identified risks and select control objectives and controls that will be implemented. The last step is to prepare a statement of applicability. In this article, with the help of ISO consulting in Australia, we will get to know how ISO 27001 works.

ISO 27001 specifications and standards

The specifications within the standard also include recommendations for documentation, management responsibility, internal audits, continual improvement and corrective actions. The ISO 27001 standard requires cooperation among all sections of an organisation to achieve optimal security management.

The ISO 27001 standard does not mandate specific information security controls, rather, it provides a list of controls that should be considered in the creation of the code of practice. With ISO 27001 consulting, we help you to get more information about the standards, requirements and how to implement it.

What is ISO 27001?

The ISO 27001 is formally known as the ISO/IES 27001: 2013. It is a joint product of the International Electrotechnical Commission (IEC), and the International Organization for Standardization (ISO). The ISO 27001 is the most well-known out of a dozen published standards in the ISO/IEC 27000 family, and it is the only standard of the family against which an organisation can be certified, whereas, the ISO 27002 serves primarily as a reference guide for the “main” standard.

In contrast to some other famous standards, achieving and demonstrating ISO 27001 compliance does not require strict adherence to the specific technical controls. Rather, the focus is on risk management and choosing a protective yet proactive approach to security across the entire organisation. More than a dozen controls can be found in the standard’s “Annex A,” but, there is no obligation that all the ISO 27001 certified organisations must implement each and everyone of these controls.

Instead, each organisation is urged to apply an appropriate subset of these controls based upon the unique risks identified in their business operations. We have already provided complete information about it in the article What is ISO 27001.

Meaning of information security standard

Here, it is important to remember that the ISO 27001 is a framework that is applicable to all types of data. In fact, the ISO deliberately portrays the ISO 27001 as an “information security” standard instead of a framework that focuses on cyber security. This is because in today’s era, although, a great deal of information exists in a digital format, there are certain organisations where the policies, procedures, propriety knowledge and even buy-in from senior management are kept in a physical format. The misuse of these tangible assets can still adversely affect an organisation.

Therefore, the aim of the ISO 27001 is to ensure that an organisation’s policies, procedures, people, documentation and control maintain confidentiality, integrity and availability.

What does the ISO 27001 do?

The ISMS enables security operators to streamline and optimise security and emergency preparedness by reducing ambiguity. Simply put, the ISO 27001 looks for clarity and focus within an organisation, in relation to the key parts of the ISMS. This means that the ISO 27001 identifies who is overall accountable for security management and who is responsible for certain parts.

Hence, in order to demonstrate compliance to the standard, you need to demonstrate that certain roles exist within the organisation with respect to information security monitoring and evaluation. Here, it is important to mention that when talking about roles, it does not necessarily mean people. The organisation has to demonstrate that roles and responsibilities have been appointed by the top management and are communicated to the relevant interested parties.

Additionally, the organisation also needs to demonstrate that these roles are documented clearly to show that there is no ambiguity regarding responsibilities. To implement ISO 27001, you must be familiar with ISO 27001 audit checklist.

ISO 27001 Benefits for business

The ISO 27001 makes ISMS ownership easy, engaging and practical with its collaborative team membership, improvement owners, policy risk owners, security risk owners and information security objective owners. The delegation of these roles makes employee engagement easy in practice and allows a clear flow down from the top management, which aligns with the clause 5.3. As a result of clear delineation of responsibilities, the ISMS is prepared for emergencies and adverse events.

The ISO 27001 specifically looks for clarity in roles and responsibilities to ensure that the information security management system abides to the requirements of the ISO. Additionally, it ensures that the performance of the ISMS can be regularly monitored, reported and improved.

Regularly monitoring the performance of the ISMS allows it remain updated, helping it to respond to evolving security threats. So, in addition to securing your information, establishing a centrally managed framework and protecting confidentiality, availability as well as integrity of data, the ISO 27001 creates a culture of continual improvement.