You may also find this framework referred to as ISO/IEC 27001 because it was developed in cooperation between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO/IEC 27000 series of standards, also known as ISO/IEC 27001, are a set of guidelines that define best practises for information security management systems, or ISMS. It was created to help enterprises of all sizes better secure their information in a way that is risk-based, organised, and economical. Although implementing ISO 27001 in your company is not required, the benefits it may offer to your information security management could just convert you.
purpose of ISO 27001:
The ISO framework is a collection of rules and procedures that businesses may employ. By implementing an Information Security Management System, ISO 27001 offers a framework to assist enterprises of any size or sector in protecting their information in a methodical and affordable manner (ISMS).
ISO 27001 important:
Not only does the standard give businesses the knowledge they need to protect their most precious data, but a business can also get certified against ISO 27001 and, in this manner, demonstrate to its clients and business partners that it is committed to securing their data.
Additionally, individuals may demonstrate their qualifications to future employers by becoming ISO 27001-certified through the completion of a course and exam.
Since ISO 27001 is an international standard, it is widely accepted, which expands commercial potential for businesses and individuals.
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorized persons have the right to access information.
- Integrity: only the authorized persons can change the information.
- Availability: the information must be accessible to authorized persons whenever it is needed.
ISO 27001 work:
The goal of ISO 27001 is to safeguard the availability, confidentiality, and integrity of information inside a firm. This is accomplished by determining the possible issues that may arise with the information (i.e., risk assessment) and determining what needs to be done to address those issues before they arise (i.e., risk mitigation or risk treatment).
Therefore, the basic tenet of ISO 27001 is based on a method for managing risks: identify the hazards and then methodically address them by putting security controls in place (or safeguards).
14 domains of ISO 27001:
There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following:
A.5. Information security policies: The controls in this section describe how to handle information security policies.
A.6. Organization of information security: The controls in this section provide the basic framework for the implementation and operation of information security by defining its internal organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of information security, like project management, use of mobile devices, and teleworking.
A.7. Human resource security: The controls in this section ensure that people who are under the organization’s control are hired, trained, and managed in a secure way; also, the principles of disciplinary action and terminating the agreements are addressed.
A.8. Asset management: The controls in this section ensure that information security assets (e.g., information, processing devices, storage devices, etc.) are identified, that responsibilities for their security are designated, and that people know how to handle them according to predefined classification levels.
A.9. Access control: The controls in this section limit access to information and information assets according to real business needs. The controls are for both physical and logical access.
A.10. Cryptography: The controls in this section provide the basis for proper use of encryption solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and environmental security: The controls in this section prevent unauthorized access to physical areas, and protect equipment and facilities from being compromised by human or natural intervention.
A.12. Operations security: The controls in this section ensure that the IT systems, including operating systems and software, are secure and protected against data loss. Additionally, controls in this section require the means to record events and generate evidence, periodic verification of vulnerabilities, and make precautions to prevent audit activities from affecting operations.
A.13. Communications security: The controls in this section protect the network infrastructure and services, as well as the information that travels through them.
A.14. System acquisition, development and maintenance: The controls in this section ensure that information security is taken into account when purchasing new information systems or upgrading the existing ones.
A.15. Supplier relationships: The controls in this section ensure that outsourced activities performed by suppliers and partners also use appropriate information security controls, and they describe how to monitor third-party security performance.
A.16. Information security incident management: The controls in this section provide a framework to ensure the proper communication and handling of security events and incidents, so that they can be resolved in a timely manner; they also define how to preserve evidence, as well as how to learn from incidents to prevent their recurrence.
A.17. Information security aspects of business continuity management: The controls in this section ensure the continuity of information security management during disruptions, and the availability of information systems.
A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory, regulatory, and contractual breaches, and audit whether information security is implemented and is effective according to the defined policies, procedures, and requirements of the ISO 27001 standard.