ISO 27001
ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organizations information risk management processes.
Six-Part Planning Process
ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
-
Define a security policy.
-
Define the scope of the ISMS.
-
Conduct a risk assessment.
-
Manage identified risks.
-
Select control objectives and controls to be implemented.
-
Prepare a statement of applicability.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action.
ISMS scope, and Statement of Applicability (SOA)
Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, a documented ISMS scope is one of the mandatory requirements for certification.
“Statement of Applicability” (SOA) , take the form of a matrix identifying various types of information risks on one axis, and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them.
Benefits
-
Reduce the chances of Security Breaches with your IT environment
-
Confidentiality of information
-
Minimization of IT risks and possible damage
-
Competitive edge due to recognized standard
-
Increase in Trust with respect to partners, customers and public
-
Structured method to address Compliance
-
Systematic detection of Vulnerabilities