.webp)
The ISO 27001 standard defines numerous requirements for information security. A certification according to this standard is therefore a powerful way to demonstrate
that your organization has its information security in order.
The core of ISO 27001
It's all about protecting the availability, integrity and confidentiality (BIV) of information within your company. ISO 27001 provides a framework for identifying, assessing and controlling these threats. Consider performing a risk assessment and determining the necessary measures, such as risk mitigation or risk treatment, to prevent these problems.
How do you arrive at the standard?
The standard is available from the Stichting Koninklijk Nederlands Normalisatie Instituut, or NEN. We notice that organizations have little familiarity with this standard and find learning it time-consuming. Fortunately, our consultants are familiar with the standard. They know exactly how to apply our templates, which are fully aligned with the standard, to any organization.
Why ISO 27001 certification?
In the rapidly changing digital world, organizations constantly face information security challenges. For example, organizations face daily threats to their information security, making data breaches, financial losses and reputational damage increasingly common. ISO 27001 provides a solution to this and is more than a piece of paper because it offers the following benefits:
- Protection from incidents
Thanks to the framework and management system of the ISO 27001 ISMS, you identify risks and implement control measures. This reduces the risk of incidents within the organization.
- Tender benefits
ISO 27001 demonstrates to your organization that the information you keep is secure. That is why it is increasingly becoming a hard requirement in tenders. You don't have to provide a whole book in which you show that you handle data well. By just showing the certificate, you give potential customers sufficient confidence. It also gives you an advantage over your competitors who do not have a certificate.
- Customers/suppliers
ISO 27001 shows that your organization takes information security seriously. This gives confidence to customers and suppliers. Large organizations increasingly expect their suppliers to be ISO 27001 certified. For example, a hospital's entire supply chain must be certified and be able to demonstrate that they handle patient data correctly.
- Laws and regulations
The standard aligns with various data protection laws and regulations, such as the AVG. Do you comply with the ISO 27001 standard? Then you don't have to worry about not complying with laws and regulations.
- Understanding and controlling security risks
Thorough risk assessment and risk management is a requirement of ISO 27001. This identifies potential vulnerabilities.
What components does the standard consist of?
The ISO 27001 standard consists of two main parts: the Harmonized Structure (HS) and Annex A. These two parts contain different structure and content.
PART 1
Harmonized Structure (HS)
The HS was introduced to bring consistency to all
management system standards, so that organizations that have multiple standards
implement this in a standardized way. The
HS consists of 10 chapters:
- CHAPTER 1
Scope
Describing the scope of the standard, indicating which organizations and situations it applies to.
- CHAPTER 2
Normative references
To name referenced documents that are part of the standard. These references are necessary for understanding and applying the standard.
- CHAPTER 3
Terms and definitions
Creating a list of terms and definitions used in the context of the standard.
- CHAPTER 4
Context of the organization
Identifying the relevant external and internal factors affecting
information security, such as market changes and business objectives. Here it is important that management be involved in information security.
- CHAPTER 5
Leadership
Showing commitment by management. Such as appointing a Security Officer to take the lead on information security policy and strategy.
- CHAPTER 6
Planning
Establish an annual information security plan that includes priorities and objectives. In addition, identified key issues and risk to be addressed.
- CHAPTER 7
Support
Allocating resources and training to employees for awareness and education in information security.
- CHAPTER 8
Implementation
Implementing, organizing and controlling technical measures, such as firewalls and encryption, to protect information.
- CHAPTER 9
Evaluation of performance
Periodically review incidents and audits to measure the effectiveness of information security measures.
- CHAPTER 10
Improvement
Handling and dealing with deviations, including responses, corrective actions and evaluation of causes. Important is the documentation of deviations and assessment of corrective actions.
PART 2
Annex A
The Annex A of ISO 27001 contains a list of management measures and controls that organizations can implement to mitigate risk ́s. These management measures are divided into several categories:
A5: Organizational control measures
This section contains management measures that relate to the organizational structure and how information security is controlled within the organization. These measures include:
- Assignment of responsibilities;
- Establishing acceptable use of assets;
- Establishing a password policy;
- Promote a "Clean Desk and Screen Culture.
- Establish plans and procedures to ensure continuity of business operations even in the event of emergencies or emergencies;
- Manage and protect assets (infrastructure, network, systems and other assets);
- Develop and maintain clear communication channels and business processes;
- Compliance with regulations (AVG, European legislation).
A6: People-oriented management measures
Here it is all about the human aspect of information security. The control measures in this section focus on employee behavior and actions. Consider:
- Establish rules and procedures for staff;
- Manage risks related to human error, theft, fraud and abuse;
- Implement processes for screening on entry and exit.
A7: Physical management measures
This section discusses physical security measures aimed at protecting the organization's physical infrastructure.
This includes measures such as:
- Access control to buildings and spaces;
- Securing cabling;
- Protection of mobile devices (such as laptops outside the door);
- Fire Protection.
A8: Technological management measures
Here everything is focused on the technological area of information security. The management measures in this chapter focus on systems, capacity and software.
Consider:
- System and software development and maintenance (documentation, processes);
- Backup policy;
- Virus protection;
- Maintain servers and PCs;
- Rights Management.
Continuous improvement
During an ISO 27001 audit, auditors will always follow the PDCA (Plan Do Check Act) cycle in their assessment. They check whether plans were effective (Plan), whether implementation was done correctly (Do), whether controls were implemented (Check) and whether appropriate adjustments were made (Act). Auditors will look for evidence of cycle effectiveness and management's willingness to adapt and improve. It's all about ensuring a constant process of learning, adapting and growing.
Plan
In the first phase of continuous improvement (Plan), the organization looks at where improvement is needed and sets information security goals. This includes:
- Evaluate results of risk assessments and ISO audits to identify weaknesses and deficiencies;
- Establish measurable goals for information security;
- Develop action plans and assign responsibilities for achieving these goals.
Do
Planning is followed by the implementation phase (Do), in which the action plans are implemented. This includes:
- Implement planned security measures and actions;
- Training and making employees aware of the new
measures;
- Collect data and information during implementation.
Check
The control (Check) phase evaluates whether the measures taken are effective in improving information security. This includes:
- Monitor and measure performance and security indicators;
- Comparing results with established goals and standards;
- Identify deviations and areas requiring further improvement.
Act
Based on the findings in the control phase (Check), corrective and preventive actions are taken in the final phase (Act). This includes:
- Implement corrective actions to address identified
address anomalies;
- Identifying causes of problems and preventing
repetition;
- Document the measures taken and the results of the
improvement efforts.
The effect of the PCDA model
The PDCA model creates a feedback loop that allows organizations to continually learn and evaluate their approach to information security. By repeating this process regularly, organizations can maintain and improve their level of security in an ever-changing threat environment. Continuous improvement within ISO 27001 is not only a requirement of the standard, but also an opportunity for organizations to become more effective in protecting their sensitive information and meeting stakeholder expectations. It's not for nothing that a management system must be in place for at least three months before your organization can be certified.
The difference between ISO 27001 and ISO 27002
The difference between ISO 27001 and ISO 27002 is mainly in the level of detail at which the control measures are written out. Another important difference between these two standards is that you can be certified for the 27001 and not for ISO 27002. In fact, ISO 27002 was developed to provide organizations with guidelines and best practices for information security. As such, it is a complementary standard that goes deeper into ISO 27001.
ISO 27002 contains a list of possible control measures, also called "controls." These controls are specifically designed so that they can be implemented using ISO 27001. This is because the controls correspond to the measures in Annex A of the ISO 27001 standard.
In short, ISO 27002 provides guidelines and best practices for information security, while ISO 27001 focuses on establishing, implementing, maintaining and improving an information security management system (ISMS).
Awareness
The ISO 27001 standard emphasizes the importance of awareness and refers to the understanding and recognition of the importance of information security within an organization. It is not just about understanding the security measures in place, but also awareness of the potential risks and the role employees play in ensuring information security.
Often the main challenge is to create sufficient awareness. 80% of cyber incidents are caused by employee inattention or wrong behavior. Therefore, it is crucial that your employees are aware of the risks. Additional awareness training is not only a mandatory part of the standard (according to A.6.3), but also ensures that everyone actually follows the required agreements and rules of conduct.
How to implement ISO 27001
Before you get started with ISO certification, you will need to know how to implement it. Implementing ISO 27001 is a process that helps organizations establish, implement, manage and improve their Information Security Management System (ISMS).
An implementation process that suits your organization
Our customers choose from a variety of implementation pathways to suit their organization's needs and requirements. Read the white paper here about what our implementation process looks like, the method we use and the difference between our customized implementation processes. We hope this blog has been able to provide you with a clear understanding of what the ISO 27001 standard entails.
Want to know more about the standards from this article?
More information is available on our website: fendix.co.uk/standards
Have you become enthusiastic about our approach and looking for an ISO specialist or ISO professional?
If so, we'd love to hear from you. Contact us below for a free, no-obligation consultation.
