ISO 27001 is a framework for managing IT security. Whilst it doesn’t sound exciting, ISO 27001, known under its full title as ISO/IEC 27001: 2013, is an information security management system (ISMS) that helps keep consumer data safe in the private and public sector.
ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers.
Background to ISO 27001
Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud.
ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee.
Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems.
There are seven areas that companies need to manage, to achieve ISO 27001 compliance.
- Context of an organisation
ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system.
With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards.
Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies.
Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying,