The ISO/IEC 27001 is an international standard that outlines a series of requirements for a company to implement an Information Security Management System (ISMS). Undoubtedly, this standard is my primary reference in my work. As I've heard before that standards can be challenging to study and understand, I've decided to break it down for you in this series of articles starting today, demonstrating that it's not as daunting as it might seem.
The most recent version of this standard is 2022, but its initial version was developed based on the British Standard BS 7799-2.
The standard can be implemented in any type of organization, whether for-profit or nonprofit, private or public, small or large. Companies may seek certification to attest to the presence of an ISMS in accordance with the standard. However, it's worth noting that a company can also use it as a reference without pursuing certification, which I strongly recommend.
It's essential to understand that the standard is composed of 11 sections, with Sections 0 to 3 being introductory and Sections 4 to 10 being mandatory for companies seeking certification. In Annex A, it introduces the famous 93 controls, which were 114 in the 2013 version.
For the mandatory sections, requirements are described to enable the company to establish, implement, monitor, and continually improve its Information Security Management System (ISMS). This system consists of controls related to human, physical, technological, and procedural resources aimed at protecting the business's information assets.
Having a structured ISMS as required by the standard is essentially following the well-known PDCA (Plan, Do, Check, Act):
Notice in the image above that Sections 4 to 7 correspond to the Planning phase (Plan), Section 8 to the Execution phase (Do), Section 9 to the Monitoring phase (Check), and Section 10 to the Improvement phase (Act). We will delve into each of these phases in future articles.
Whether your goal is to certify your company to the standard or seek a reference for information security, taking it as a foundation will undoubtedly bring excellent benefits to your company, such as:
Facilitating compliance with legal requirements, regulations, and contractual actions;
Providing a competitive advantage and market differentiation;
Improving the company's culture;
Aligning strategic objectives with information security;
Adopting a process approach to enable activities to be executed logically, systematically, and securely.
Today was just an introductory part, but I invite you to follow the upcoming articles in the series. Let's dive together into this wonderful standard; I'll share a lot of my experiences.
I appreciate your readership." To proceed to Part 2 of the series: link.
Sources: advisera e amanhardikar