What is ISO 27001 and 27002?

Information Security Management System and its Family

What is information security?

Information Security covers several aspects of protecting the information, this is presented in the form of a model called CIA Triad. C is Confidentiality, I is Integrity and A is Availability.

ISMS Family

ISMS preserves the CIA of Information by applying risk management process.

CIA Triad — three principles

Confidentiality: Protect the information from unauthorized access. Example- use encryption, access control lists, and file permissions. The opposite of confidentiality is disclosure.

Integrity: Safeguard the accuracy of the information. The opposite of integrity is modification.

Availability: Information must be available when it is needed. The opposite of availability is destruction.

About the ISO 27001 Standard: This is an international standard against which the organization gets certified. This means they meet all the requirements mentioned in the Standard that includes the mandatory clauses and annexure A. This standard provides the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It is not acceptable to exclude clauses 4 to 10 from the requirements to gain conformity to this standard.

Clause 4- Context of the Organization

Clause 5- Leadership

Clause 6- Planning

Clause 7- Support

Clause 8- Operation

Clause 9- Performance Evaluation

Clause 10- Improvement

About the ISO 27002 Standard: This is an international standard that helps the organization to use this as a reference or guidance document for selecting controls within the process of implementing an ISMS based on ISO 27001. This standard is called the Code of Practice. It contains 14 security control clauses, 35 security categories, and 114 controls.

Why is it so important for organizations to get ISO 27001 certification?

  1. Have a competitive edge against other organizations.
  2. Improved confidence with the existing customers and business partners.
  3. Enhance your organization's brand and reputation.
  4. Stay compliant with regulatory, commercial, contractual, and legal responsibilities.
  5. Increased customer satisfaction.
  6. Improves security posture and prepares for the unknown.
  7. Culture shift by introducing continuous improvement.
  8. Risk-based strategies and monitor the effectiveness of those controls.

Conclusion: Implementing the ISMS the right way is very important to meet the requirements. This ensures ISMS meets the objectives set by the organization and effectively reducing the risk to a tolerable level.

https://ismsguy.medium.com/membership

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.