Information Security Management System: Introduction to ISO 27001

current scenario: Today’s organizations rely heavily on information systems to manage business and deliver products/services. They rely on IT for development, production, and delivery on various internal applications. The application includes financial databases, employee time booking, helpdesk and other services, remote access to customers/employees, remote access to customer systems, interactions with the outside world via email, Internet, usage from third party and subcontracted providers.

business requirements:Information security is required as part of the contract between client and client. Marketing wants a competitive advantage and can build customer trust. Senior management wants to know the status of IT infrastructure outages or information leaks or information incidents within the organization. Legal requirements such as the Data Protection Act, copyright, design and patent regulation, and regulatory requirements of an organization must be well adhered to and protected. Protecting information and information systems to meet business and legal requirements by providing and demonstrating a secure environment for customers, managing security between competing customer projects, and preventing leaks of sensitive information are the biggest challenges for the information system.

Definition of information: Information is an asset that, like other important business assets, is valuable to an organization and therefore must be properly protected. Whatever forms the information takes or the means by which it is shared or stored, it must always be adequately protected.

Forms of Information: Information may be stored electronically. It can be transmitted over the network. It can be shown in videos and it can be verbal.

Information Threats:Cyber ​​criminals, hackers, malware, Trojans, phishing and spammers are the main threats to our information system. The study found that most of the people who committed the sabotage were IT workers displaying characteristics that included arguing with co-workers, being paranoid and disgruntled, being late for work and exhibiting poor job performance in general. Of the cybercriminals, 86% were in technical roles and 90% had administrator or privileged access to company systems. Most committed the crimes after their jobs ended, but 41% sabotaged systems while still employed by the company. Natural calamities such as storms, tornadoes, and flooding can cause extensive damage to our information system.

Information Security Incidents: Information security incidents can cause disruption to organizational routines and processes, decreased shareholder value, loss of privacy, loss of competitive advantage, reputational damage causing brand devaluation, loss of trust in IT, spending on information security assets for damaged, stolen or corrupted data. or loss in incidents, reduced profitability, injury or loss of life if safety-critical systems fail.

Some basic questions:

• Do we have an information security policy?

• Have we ever analyzed the threats/risks to our IT activities and infrastructure?

• Are we prepared for natural calamities like floods, earthquakes, etc.?

• Are all of our assets insured?

• Do we trust that our IT infrastructure/network is secure?

• Is our business data secure?

• Is the IP telephone network secure?

• Do we configure or maintain application security features?

• Do we have a segregated network environment for the production server, testing and application development?

• Are office coordinators trained for any physical security outbreak?

• Do we have control over the distribution of software/information?

Introduction to ISO 27001:In business, having the right information to the right person at the right time can make the difference between profit and loss, success and failure.

There are three aspects of information security:

Privacy: Protect information from unauthorized disclosure, perhaps to a competitor or to the press.

Integrity: Protect information from unauthorized modification and ensure that information, such as the price list, is accurate and complete

Availability: Ensuring information is available when you need it. Guaranteeing the confidentiality, integrity and availability of information is essential to maintaining competitive advantage, cash flow, profitability, legal compliance and commercial and brand image.

Information Security Management System (ISMS): This is the part of the overall management system based on an enterprise risk approach to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes the organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.

About ISO 27001:- A leading international standard for information security management. More than 12,000 organizations worldwide certified against this standard. Its purpose is to protect the confidentiality, integrity and availability of information. Technical security controls, such as antivirus and firewalls, are not normally audited in ISO/IEC 27001 certification audits: it is essentially presumed that all controls have been adopted by the organization necessary information security. It does not focus only on information technology, but also on other important assets of the organization. It focuses on all business processes and business assets. The information may or may not be related to information technology and may or may not be in digital form. First published as the Department of Trade and Industry (DTI) Code of Practice in the UK, known as BS 7799. ISO 27001 has 2 parts ISO/IEC 27002 and ISO/IEC 27001

ISO/IEC 27002:2005: It is a code of practice for Information Security Management. Provides guidance on best practices. It can be used as needed within your business. It is not for certification.

ISO/IEC 27001: 2005:It is used as the basis for certification. It is something Management Program + Risk Management. It has 11 Security Domains, 39 Security Objectives and 133 Controls.

ISO/IEC 27001: The standard contains the following main sections:

  • risk assessment
  • Security policy
  • asset Management
  • Human Resources Security
  • Physical and environmental security
  • Communications and Operations Management
  • Access control
  • Acquisition, development and maintenance of Information Systems
  • Information security incident management
  • Business Continuity Management
  • Compliance

Benefits of Information Security Management Systems (ISMS):competitive advantages: Business partners and customers respond favorably to trusted companies. Having ISMS will demonstrate maturity and reliability. Some companies will only partner with those that have ISMS. ISMS implementation can create efficiencies in operations, leading to reduced costs of doing business. Companies with ISMS can also compete on price.

Reasons for ISO 27001: There are obvious reasons to implement an Information Security Management System (ISO 27001). The ISO 27001 standard meets legal or regulatory compliance. Information assets are very important and valuable to any organization. The trust of shareholders, business partners, customers must be developed in the Information Technology of the organization to take advantage of business advantages. ISO 27001 certification shows that information assets are well managed taking into account the aspects of security, confidentiality and availability of information assets.

Establishment of the ISMS:Information Security Management Challenge or Technical Issue? Information security should be viewed as a business and management challenge, not simply a technical problem to be left to experts. To keep your business secure, you need to understand both the problems and the solutions. To institute the management of the ISMS, the role of 80% and the responsibility of 20% of the technology system.

beginning: – Before you start to institute an ISMS, you must obtain management/shareholder approval. You have to see if you are trying to do it for the whole organization or just a part of it. You need to assemble a team of qualified stakeholders and professionals. You may choose to supplement the team with consultants with implementation experience.

ISMS Certification (ISO 27001): An independent third-party verification of the organization’s information security assurance based on ISO 27001:2005 standards.

Precertification: Stage 1 – Audit documentation

Stage 2 – Implementation Audit

Post-certification: Continuous surveillance for 2 years Third year reassessment/recertification

Conclusion: Prior to implementation of the management system for information security controls, the organization has various security controls over the information system. Information, being a very critical asset for any organization, must be well protected against leaks or hacks. ISO/IEC 27001 is a standard for the information security management system (ISMS) that ensures that well-managed processes conform to information security. ISMS implementation leads to efficiencies in operations that lead to reduced costs of doing business.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top