Introduction to ISO 27001 2022 standards

Introduction to information security and ISO 27001 standards

Organizations of all types and sizes:

1. Collect, process, store, and transmit information;
2. Recognize that information, and related processes, systems, networks and people are important assets for achieving organization objectives;
3. Face a range of risks that can affect the functioning of assets; and
4. Address their perceived risk exposure by implementing information security controls.

All information held and processed by an organization is subject to threats of attack, error, nature (for example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information security is generally based on information being considered as an asset which has a value requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete information to be available in a timely manner to those with an authorized need is a catalyst for business efficiency. Protecting information assets through defining, achieving, maintaining, and improving information security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal compliance and image. These coordinated activities directing the implementation of suitable controls and treating unacceptable information security risks are generally known as elements of information security management. As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to:

1. Monitor and evaluate the effectiveness of implemented controls and procedures;
2. Identify emerging risks to be treated; and
3. Select, implement and improve appropriate controls as needed.

To interrelate and coordinate such information security activities, each organization needs to establish its policy and objectives for information security and achieve those objectives effectively by using a management system.

Organizations of all types and sizes:

1. Collect, process, store, and transmit information;
2. Recognize that information, and related processes, systems, networks and people are important assets for achieving organization objectives;
3. Face a range of risks that can affect the functioning of assets; and
4. Address their perceived risk exposure by implementing information security controls.

All information held and processed by an organization is subject to threats of attack, error, nature (for example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information security is generally based on information being considered as an asset which has a value requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete information to be available in a timely manner to those with an authorized need is a catalyst for business efficiency. Protecting information assets through defining, achieving, maintaining, and improving information security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal compliance and image. These coordinated activities directing the implementation of suitable controls and treating unacceptable information security risks are generally known as elements of information security management. As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to:

1. Monitor and evaluate the effectiveness of implemented controls and procedures;
2. Identify emerging risks to be treated; and
3. Select, implement and improve appropriate controls as needed.

To interrelate and coordinate such information security activities, each organization needs to establish its policy and objectives for information security and achieve those objectives effectively by using a management system. ISO 27001 standards provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time. The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization. ISO 27001 standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.

What is an information security management system?

Overview and principles

An information security management system consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An information security management system is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. It is based on a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks. Analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an information security management system. The following fundamental principles also contribute to the successful implementation of an information security management system:

1. Awareness of the need for information security;
2. Assignment of responsibility for information security;
3. Incorporating management commitment and the interests of stakeholders;
4. Enhancing societal values;
5. Risk assessments determining appropriate controls to reach acceptable levels of risk;
6. Security incorporated as an essential element of information networks and systems;
7. Active prevention and detection of information security incidents;
8. Ensuring a comprehensive approach to information security management;
9. Continual reassessment of information security and making of modifications as appropriate.

Information

Information is an asset that, like other important business assets, is essential to an organization’s business and, consequently, needs to be suitably protected. Information can be stored in many forms, including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees. Information can be transmitted by various means including: courier, electronic or verbal communication. Whatever form information takes, or the means by which it is transmitted, it always needs appropriate protection. In many organizations, information is dependent on information and communications technology. This technology is often an essential element in the organization and assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information.

Information security

Information security ensures the confidentiality, availability and integrity of information. Information security involves the application and management of appropriate controls that involves consideration of a wide range of threats, with the aim of ensuring sustained business success and continuity, and minimizing consequences of information security incidents. Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using an information security management system, including policies, processes, procedures, organizational structures, software and hardware to protect the identified information assets. These controls need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the specific information security and business objectives of the organization are met. Relevant information security controls are expected to be seamlessly integrated with an organization’s business processes

Management

Management involves activities to direct, control, and continually improve the organization within appropriate structures. Management activities include the act, manner, or practice of organizing, handling, directing, supervising, and controlling resources. Management structures extend from one person in a small organization to management hierarchies consisting of many individuals in large organizations. In terms of an information security management system, management involves the supervision and making of decisions necessary to achieve business objectives through the protection of the organization’s information assets. Management of information security is expressed through the formulation and use of information security policies, procedures and guidelines, which are then applied throughout the organization by all individuals associated with the organization.

Management system

A management system uses a framework of resources to achieve an organization’s objectives. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. In terms of information security, a management system allows an organization to:

1. Satisfy the information security requirements of customers and other stakeholders;
2. Improve an organization’s plans and activities;
3. Meet the organization’s information security objectives;
4. Comply with regulations, legislation and industry mandates; and
5. Manage information assets in an organized way that facilitates continual improvement and adjustment to current organizational goals.

Why an information security management system is important

Risks associated with an organization’s information assets need to be addressed. Achieving information security requires the management of risk, and encompasses risks from physical, human and technology related threats associated with all forms of information within or used by the organization. The adoption of an information security management system is expected to be a strategic decision for an organization and it is necessary that this decision is seamlessly integrated, scaled and updated in accordance with the needs of the organization. The design and implementation of an organization’s information security management system is influenced by the needs and objectives of the organization, the security requirements, the business processes employed and the size and structure of the organization. The design and operation of an information security management system needs to reflect the interests and information security requirements of all of the organization’s stakeholders including customers, suppliers, business partners, shareholders and other relevant third parties. In an interconnected world, information and related processes, systems, and networks constitute critical business assets. Organizations and their information systems and networks face security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire and flood. Damage to information systems and networks caused by malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated. An information security management system is important to both public and private sector businesses. In any industry, an information security management system is an enabler that supports e-business and is essential for risk management activities. The interconnection of public and private networks and the sharing of information assets increase the difficulty of controlling access to and handling of information. In addition, the distribution of mobile storage devices containing information assets can weaken the effectiveness of traditional controls. When organizations adopt the information security management system family of standards, the ability to apply consistent and mutually-recognizable information security principles can be demonstrated to business partners and other interested parties. Information security is not always taken into account in the design and development of information systems. Further, information security is often thought of as being a technical solution. However, the information security that can be achieved through technical means is limited, and can be ineffective without being supported by appropriate management and procedures within the context of an information security management system. Integrating security into a functionally complete information system can be difficult and costly. An information security management system involves identifying which controls are in place and requires careful planning and attention to detail. As an example, access controls, which can be technical (logical), physical, administrative (managerial) or a combination, provide a means to ensure that access to information assets is authorized and restricted based on the business and information security requirements. The successful adoption of an information security management system is important to protect information assets allowing an organization to:

1. Achieve greater assurance that its information assets are adequately protected against threats on a continual basis;
2. Maintain a structured and comprehensive framework for identifying and assessing information security risks, selecting and applying applicable controls, and measuring and improving their effectiveness;
3. Continually improve its control environment; and
4. Effectively achieve legal and regulatory compliance.

Scope of ISO 27001 standard

ISO 27001 Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. ISO 27001 also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO 27001 standards are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Organisations are not permitted to exclude any of the requirements specified in Clauses 4 to 10 when claiming conformity to ISO 27001 standard.

Benefits

The benefits of implementing ISO 27001 standards are huge. Depending upon the scope of activities and the level of compliance to the requirements of ISO 27001 standards, organisations can get benefits such as:

• Good governance & leadership
• Increase customer satisfaction
• Increase in staff morale
• Standout among others
• International recognition
• Avoid the financial penalties and losses associated with data breaches
• Benchmark with the best
• Continual Improvement
• Comply with legal requirements
• Business continuity
• Win new business and sharpen your competitive edge

Information security management system – critical success factors

A large number of factors are critical to the successful implementation of an information security management system to allow an organization to meet its business objectives. Examples of critical success factors include the following:

1. Information security policy, objectives, and activities aligned with objectives;
2. An approach and framework for designing, implementing, monitoring, maintaining, and improving information security consistent with the organizational culture;
3. Visible support and commitment from all levels of management, especially top management;
4. An understanding of information asset protection requirements achieved through the application of information security risk management
5. An effective information security awareness, training and education programme, informing all employees and other relevant parties of their information security obligations set forth in the information security policies, standards, etc., and motivating them to act accordingly;
6. An effective information security incident management process;
7. An effective business continuity management approach;
8. A measurement system used to evaluate performance in information security management and feedback suggestions for improvement.
9. An information security management system increases the likelihood of an organization consistently achieving the critical success factors required to protect its information assets.