This informal CPD article on ISO/IEC 27001 Information Security Management Systems was provided by CFE Certification, who provide a wide range of auditing, certification and gap analysis services.
This standard was prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS).
ISO/IEC 27001 Information Security Management System
Information, defined as resources that add value to organizations, need to be protected in accordance with the international standards. Today, information is available in many places, especially in print, verbal, electronic media. Information is stored in various accounts and can be transferred in many ways, such as mail and e-mail.
Information security aims to protect information against many dangers in order to ensure business continuity, to minimize the damage that may occur, and to increase earnings and business opportunities. This standard adopts a process approach to create, implement, operate, monitor, review, maintain and improve your Information Security Management System.
ISO 27001:2013
ISO 27001:2013 is the basis for the Information Security Management System (ISMS) and is applied to organizations of all sizes in all sectors. An ISMS Certificate shows that you provide for Information Security against your customers, suppliers and government institutions.
Information security basically targets the following three elements:
- Confidentiality can be defined as the information being unreachable to unauthorized access. Another definition of confidentiality is to prevent the disclosure of confidentiality information by unauthorized persons.
- Integrity is the protection of its content against the threats of unauthorized alteration, deletion or destruction of information. We can categorize the information that is not corrupted accidentally or intentionally as complete.
- Availability means that information is available whenever it is needed. It is a requirement of the usability feature that the information can be accessed even in case of any problem or problem. This access must be within the user's rights.
Why Is ISO 27001 Necessary?
ISO 27001 shows that the organisations’ internal controls are provided independently and they meet corporate governance and business continuity requirements.
Benefits for the Organisations
- Protecting the confidentiality of information assets,
- Ensuring effective risk management by identifying threats and risks,
- Protection of institutional prestige,
- Ensuring business continuity,
- Control of access to information resources,
- Raising the security awareness of team members, contractors and sub-contractors and informing them about important security issues,
- Establishing a realistic control system in automatic and manually managed systems to ensure that sensitive information is used appropriately,
- Ensuring the integrity and accuracy of information assets,
- Preventing staff from being suspected of abuse and harassment by others,
- Ensuring that sensitive information is appropriately available to third parties and auditors,
- It independently indicates that the applicable laws and regulations are observed,
- It provides a competitive advantage by meeting contractual requirements and by paying attention to the security of your customers' information,
- It independently verifies that your corporate risks are properly defined, evaluated, and managed while your information security transactions, procedures and documents are being formed,
- Regular evaluation helps you to continuously monitor and improve your performance. It proves your senior management's commitment to the security of their information,
- Information assets can be protected,
- Business continuity is provided,
- A healthy structure is established with customers and suppliers,
- Competitive advantage is provided,
- Legal compliance is provided.
ISO 27001 Certification Procedure
- Filling the information form
- Submitting an offer
- Applying for the certificate
- Documentation review
- Pre-audit (optional)
- Company audit (has 2 stages on different dates)
- Approval of the Certification Committee
- Issuance of the document
- Periodic follow-up audits
- Document Renewal
We hope this article was helpful. For more information from CFE Certification, please visit their CPD Member Directory page. Alternatively please visit the CPD Industry Hubs for more CPD articles, courses and events relevant to your Continuing Professional Development requirements.