Home / All Posts / IT Management Standards / ISO/IEC 27001 / ISO 27001: Information Security Management System
ISO 27001

ISO 27001: Information Security Management System

Introduction to ISO 27001

ISO 27001 (previously known as ISO/IEC 27001:2005) specifies the requirements for an information security management system (ISMS) whose scope includes all policies and procedures related to legal, physical and technical documentation control and its effective implementation for minimization of risks.

Six Part Planning Process of ISO 27001

  • Security Policy: Define a security
  • ISMS Scope: Define the scope of ISMS.
  • Risk Assessment: Conduct Risk assessment.
  • Risk Identification: Manage to minimize identified risks.
  • Control Objectives Settings: Minimize risks by selecting control objectives and other controls that need to be implemented.
  • Statement of Applicability: Thoroughly prepare a statement of applicability.

Process Approach of ISO 27001

The process approach of ISO 27001 signifies the process approach for founding, applying, operating, monitoring, reviewing, maintaining and improving an organization’s internal Security Management System often abbreviated as (ISMS).

The process approach of ISO 27001 signifies the emphasis on:

  • Setting up the policy and goals for security of information and have in depth understanding about information security requirements.
  • Managing information security risks in order to implement and operate control to manage security of information.
  • Periodic monitoring and reviewing of performance effectiveness of ISMS.
  • Objective measurement and tracking based on continual improvement methodologies that ensures customer’s satisfaction to the utmost levels.

However, PDCA (Plan Do Check Act) model has been adopted by International standards which reflects a robust approach for flourishing continual improvement cycle and implementation of principle guidelines related to risk assessment and security’s design, implementation, reviewing, management and re-assessment.

Purpose of ISO 27001

ISO 27001 magnifies the importance of all mandatory requirements to protect system’s information and its integrity at all costs. How ISO 27001 works? It works on risk management and its reduction in order to protect system’s confidentiality and fill any potential leakages (if identified).

Structure of ISO 27001  

Section 0: illustration of ISO 27001 working principle and its compatibility with other ISO standards.

Section 1: Defines scope and applicability

Section 2: Refers to ISO 27001 reference and definitions

Section 3: Refers to relevant terms and its contextual explanation

Section 4: Defines organizational context with significant relevance to Plan part of PDCA cycle

Section 5: Magnifies the leadership and top management commitment by clearly defining top down roles and responsibilities of team mates.

Section 6: Defines how to Planning works in PDCA by defining essentials for risk management and its minimization and helps to create Risk Treatment plan by establishing system security goals.

Section 7: Signifies the importance of availability of helping resources, creating awareness and building up competency level of employees about ISO 27001 and its requirements.

Section 8: Denotes “Do” phase of PDCA cycle and explains step by step implementation of risk minimization, risk assessment and risk treatment.

Section 9: Refers to “Check” step of PDCA cycle where tools like Internal auditing techniques, gap analysis, identified gaps closure, Evaluation in Management reviews are being used.

Section 10: Continuous Improvement cycle runs in the form of PDCA’S “Act” step where major and minor non-conformities are being hunted and opportunities for improvement (OFI) are being highlighted.

Implement an information security management system (ISMS) aligned with ISO 27001

Following are the 13 key steps that one should milestone during implementation of ISO 27001:

  • Define Scope of ISMS
  • Develop ISMS policy
  • Carry out Internal Audits
  • Execute Gap analysis
  • Identify Risk by doing risk assessment
  • Reduce and Manage your Risks
  • Establish Risk Treatment Plan
  • Effective Documentation and its control
  • Rolling out Employees’ Training Programs
  • Conduct Regular Evaluation
  • Set up Management Reviews
  • Selection of ISO certification body
  • Maintaining ISMS by doing periodic reviews

How PDCA cycle and Continuous Improvement Methodology Apply to ISMS?

Plan Do Check Act cycle abbreviated as (PDCA) applies in ISMS as follows:

  • Plan: Plan to set up ISMS policy, objectives, processes and procedures that help to minimize risks and improve system security.
  • Do: Implementation and effective operation of ISMS policy, controls and processes.
  • Check: Monitoring, verification and periodic review of ISMS performance indicators and its tracking
  • Act: Maintain and improve continuously by applying corrective and preventive action approach.

What to Verify In ISMS Internal Audits?

Periodic ISMS internal audits should be carried out after regular intervals of time to verify whether adherence of ISMS guidelines are being done or not. The current ISMS should conform to:

  • All Requirements of ISO 27001.
  • Effective implementation and maintenance of the adherence of ISO 27001 clauses.
  • Continuous improvement via corrective and preventive actions approach

How Corrective Actions Approach Works in ISMS?

Corrective actions are the actions that are taken to eliminate the cause of non-conformities in order to prevent their recurrence. Those corrective actions should be implemented that define mandatory requirements for:

  • Identification of non-conformities
  • Cause determination of non-conformities
  • Implementation of corrective actions
  • Evaluation of corrective actions based on their repetition and sustainability
  • Result Recording of Implemented Corrective Actions
  • Periodic review of corrective actions taken

How Preventive Actions Approach Works in ISMS?

Preventive actions are the actions that are taken to eradicate the cause of potential non-conformities in order to prevent their occurrence. Any implemented preventive action should possess defined requirements for the following:

  • Finding the cause of potential non-conformities
  • Screening out and implementation of appropriate preventive actions
  • Result Recording of implemented preventive actions
  • Periodic review of preventive action to check sustainability

 Revision in ISO 27001 in 2005 and 2013

First publication of ISO 27001 was done in 2005 and its revised version was exhibited worldwide in 2013 with the significant amendments in main section of the standard namely Objectives monitoring and its measurements. However few deletion in requirements took place in the revised version such as the requirement to document each and every preventive action taken for some specific procedures. The revised version has been made much easier to understand, read and highly compatible for integration in other ISO standards which are already in practice in many organizations.

Enlisted Other Related Information Security ISO Standards

  • ISO 27002
  • ISO 27004
  • ISO 27005
  • ISO 22301
  • ISO 9001

About Sunita Verma

Sunita Verma, Founder and President of Sync Resource started the company in 2009 with a vision to provide management consulting to small & medium size businesses around the country. Sunita holds a Master’s Degree in Mechanical Engineering from Cleveland State University, Cleveland, Ohio, Bachelors in Mechanical Engineering(India) with prestigious gold medal by then President of India and renowned Scientist Dr Abdul Kalam Azad. As an active philanthropist she believes in pay it forward and is a contributing member of charitable organizations like St. Jude’s Foundation and North Fulton Charities.

Check Also

ISO 27001

ISO 27001 (ISMS) Metrics And Step By Step Implementation Guide 2018

If you are planning to integrate and implement ISO 27001 within your organization, you will …

Leave a Reply

Your email address will not be published. Required fields are marked *