ISO 27001 : Managing Risks Through Information Security

Risk Management

ISO/IEC 27001 is a management system designed to ensure security controls are in place in order to protect information within an organization. Published in October 2005 by International Organization for Standardization, ISO 27001 is designed to provide a systematic control over all company information. It is an extension of a company’s quality management system and emphasizes on security measures to protect information critical to a business’ overall risk management protocols.

Though security controls are present in each organization, having a specified information security management system makes it easy for organizations to identify security risks and be able to formulate steps in protecting important data crucial to the organization. Asset Management, Access Control, Business Continuity and overall compliance are just some of the areas covered by ISO 27001. Data exchange, acquisition and development are the primary focus of this standard, emphasizing on the importance of having an Information Security Management System and aligning it with other existing quality management systems within an organization.

Adopted from the concept of BS 7799, a standard published by UK’s Department of Trade and Industry in 1999, this two part standard served as the originating model for ISO 27001. ISO 27001 adopted Plan-Do-Check-Act, a process model introduced in the 2002 version of BS 7799, which ISO 27001 also follows in its ISMS requirements and compliance. The Plan-Do-Check-Act Cycle simply means establishing the policies, goals and procedures of the ISMS based on the strategies and risks involved in terms of security of information; proper implementation, review and monitoring of the established ISMS; and acting on evaluation results through application of updates and improvement. This process should be congruent with an organization’s existing quality management policies. ISO 27001 is compatible with other quality standards such as ISO 9001 so if an organization already have an existing quality management in place, implementing ISO 27001 is highly recommended.

Security Management

Certification in ISO 27001 is done in three stages. The first stage involves review and familiarization of auditors to the organization’s existing Information Security Management System, evaluating the completeness of existing documentation regarding security information and its applicability. The second stage is more formal and considered to be more detailed. It involves auditing of the existing ISMS and conformance to the standards specified in ISO 27001. The audit is usually conducted by Lead auditors and the positive result of this stage can lead to being certified as ISO 27001 compliant. Though passing the second stage can gain an organization the desired certification, a third stage is necessary. The third stage is a follow-up on the improvement of the company’s ISMS to ensure that it matures along with the changes within the organization and continuously serves its purpose in information security and control. The follow-up audits are generally called as surveillance audits usually done once a year but companies, depending on what management agrees with, can also have it more frequently than the scheduled annual surveillance audit.

Knowing that being compliant with this standard can benefit a company in terms of credibility, competitiveness and risk management, QSE consultants are highly experienced in helping companies in passing certification audits. With their 10 Step Approach method, they can guarantee a higher chance for your company to obtain certification in ISO 27001. Contact one of the QSE consultants by visiting https://qsebackup.atlcreative.co.

Share via:

Share on linkedin
Share on twitter
Share on email

Free Webinars Hosted by QSE Expert Consultants