Understanding ISO 27001 - An Information Security Standard

Understanding ISO 27001 - An Information Security Standard
Over the last few month I have been reading about various IT and InfoSec frameworks such as COBIT, NIST CyberSecurity framework and ISO 27001 as well as CIS Critical Security Controls to find a suitable framework to implement in my organisation. ISO 27001 is one of the most important Information Security frameworks. ISO 27000 is a family of standards which if implemented properly helps an organisation secure its information assets. In this family, ISO 27000 consists of an overview and vocabulary, ISO 27001 defines the requirements for the program while ISO 27002, defines the operational steps necessary in an information security program.
ISO 27001 is the standard which define requirements for an organisation to implement an Information Security Management System (ISMS) and is the main standard in ISO 27000 series. In simple words it describe how to manage information security in a company. It can be implemented in any organisation irrespective of its size or type profit or non profit, private or state owned. An organisation can get certified on ISO 27001 but it is not obligatory. One may choose to implement the standard first and get certified later when the organisation is compelled by regulations or wants to increase its trust among customers and clients. The standard was first published in 2005 and was recently revised in 2013.
ISO 27001 has eleven short clauses 0 - 10 and an Annex A. Clauses 0 - 3 describe the standard and clauses 4 - 10 set the requirement for information security system which must be implemented for an organization to be compliant with the standard. Annex A contains 114 security controls or safeguards grouped into 14 sections. The standard takes a risk management approach to protect the information security of company. Risk assessment is done to find out potential risks to information and then risk mitigation is done to address them through security controls. The security controls used to address risk are in form of policies, procedures and technical controls (HW or SW) to secure assets.
ISO 27001 benefits organisations by implementing security in a comprehensive manner. It helps organisations comply with legal requirements, achieve marketing advantage by reassuring customers about security, lower costs by preventing incidents and be better  organised by defining processes and procedures for a coordinated approach to information security.
The ISO 27001 standard is not freely available and has to be purchased either online or in paper form for reference and implementation. Advisera a training and consultancy company has number of useful articles on ISO 27001 basics, implementation ideas and checklists. It also has two very useful and surprisingly free courses on the standard. The first ISO 27001:2013 Foundations Course explains the standard and gives an excellent coverage of the standard in 6 modules of total 8 hours. The second, ISO 27001:2013 Internal Auditor Course covers the basics of how an organization can be audited to ensure that the ISO 27001 standard has been implemented properly. Their website has a wealth of information on ISO 27001 and other ISO standards including blog posts, white papers, check lists, presentation, video tutorials and webinars. I would recommend everyone interested in the standard to go through their website comprehensively before taking any training or implementing the standard. In India, BSI India and SQTC conduct personal trainings on ISO 27001 covering foundations, Lead Implementer and Lead Auditor courses.
I hope I have given a good overview of the ISO 27001 standard. Please do comment and ask questions if you have any queries or suggestions.
References

  2. ISO 27001 reference website - http://www.iso27001security.com/
  5. Advisera - ISO 27001 Academy - http://advisera.com/27001academy/

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more