Securing Information Assets through ISO 27002
Information assets are always prone to internal and external threats, while the people/processes using these assets have inherent vulnerabilities. Furthermore, one must consider emergent risks due to change(s) in process or the business environment. Therefore, it’s crucial to put in place an effective information security management system to avoid/restrict/control the damages that arise in case these vulnerabilities are exploited by the threat(s). The ambit of an effective information security not only covers data but policies & procedures, processes, organizational structures and software/hardware surrounding/using the data. This could be achieved through adoption of ISO 27002.
ISO 27002 provides code of best practices to be used by those who have the responsibility of initiating, implementing and maintaining ISMS. ISO 27002 highlights 35 security categories spanned across following 14 control clauses covering a total of 114 controls
Information Security Policies
Organization of Information Security
Human Resource Security
Physical and environmental security
System acquisition, development and maintenance
Information security incident management
Information security aspects of business continuity management
Each one of the 114 control is organized such that it relates to a specific control objective (security category). The standard also specifies implementation guidelines for these controls to aid in its implementation and ensuring that the objective is met.
These controls were designed considering the following factors essential for successful implementation of information security:
- Alignment of information security policies with business objectives;
- Well established risk management framework within the organization;
- Support from the top management for IS security initiatives;
- Awareness of criticality of information security as well as communication of relevant policies and guidelines to all stakeholders;
- Established information security incident management process; and
- Established framework for implementation, maintenance and monitoring as well as process for evaluation of performance of information security initiatives/controls.
However, before implementing these controls, it is imperative for the organization to select the controls relevant to them. This would be done via establishing security requirements and assessing security risks.
The security requirements could be identified through
- Risk assessments performed keeping in mind the overall business strategy and objectives;
- Legal, statutory, regulatory and contractual requirements that the organization and its stakeholders must adhere to; and
- The set of policies/procedures/requirements for information handling, processing, storing, communicating and archiving developed for supporting business processes.
We must also consider that Information has a natural lifecycle, from creation to processing/storage/ transmission to eventually, its destruction/decay. Subsequently, the value of the assets and their risks may also vary during their lifetime. Therefore, an information security requirement needs to be taken into account at every stage.