What is ISO 27001
When asking ourselves what ISO 27001 is, we should know that it represents a Standard of Information Security Management System formerly known as BS-7799. It was first published in 2005 by the International Organization for Standardization and was revised in 2013. ISO/IEC 27001 is a part of ISO 27000 family of standards. ISO 27001 specifies the Information technology Security techniques and Information security management system requirements. When most people say information security they imagine the technological part of information, but ISO 27000 regulates not only the technological part of the organizations but also every process related to any type of information and assets: electronic, paper, mental, etc. The standard helps the organizations to assess their ability to meet the information security requirements.
The standard mainly has been developed to provide requirements for establishing, implementing and improving an information security management system. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes and the size and structure of the organization.
The Information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to the interested parties that the risks are properly managed.
The information security management system is integrated with the organization’s processes and overall management structure and ensures that the information security is considered in the design of processes, information systems, and controls.
Why should the organizations decide to go through the ISO certification process?
When There are a lot of reasons why organizations want to be ISO 27001 certified but the first motivation is that every organization wants to manage its risks, to be well organized and to have its stable place in a competitive market. The second reason is to be recognized publicly and internally and gain the confidence of its customers. When asking themselves what ISO 27001 is and how they can benefit from it they should have in mind those two reasons.
The certification process starts with the decision to obtain certification. Before the decision of going through a certification process every organization must understand well the above mentioned two reasons which compel it to obtain certification, must understand the role of certification for the future of the company and weigh the advantages and difficulties of the certification process. The top management of every organization must realise that during the process of certification they have a tough work to do.
The first step is to choose a certification body accredited by an accreditation body which will guide the company through the certification process and issue the certificate and decide whether the company should hire external advisors or should improve its processes utilizing its own internal resources. Then the organization must define the scope of certification and conduct a gap analysis which is the first diagnostic assessment of organization’s policy and procedure differences with the requirements of the standard as well as determine the existence of ISMS within the organization. The aim is not only to determine the gaps, but to close them and comply with the requirements of ISO 27001. The implementation and certification would be very difficult without this phase. This phase includes development of policies and carrying out of a risk assessment of overall information assets of the organization. Mostly the outcome of this phase includes policies, risk treatment plan and implementation of controls to mitigate the risks in accordance with organization’s risk tolerance and risk acceptance criteria. The statement of applicability must be developed to clarify the controls that are applicable for the organization. The Annex A of the Standard presents the controls which are necessary but not mandatory for the organization, organization can replace some controls with other controls or compensating controls, add some controls or decline some of them based on predefined SoA.
The next phase is the first certification assessment which is conducted by certification body. If all the mandatory requirements are met and there are no major nonconformities the certification body issues the certificate. In case of major nonconformities the certification body presents a report containing the nonconformities and recommendations and defines the period for correction of the shortcomings. The certification assessment can be conducted several times until all the nonconformities are eliminated.