What is ISO 27001 and 27002?
Information Security Management System and its Family
What is information security?
Let’s say you have a gadget that reads the temperature and humidity in your basement. Every morning at 10 AM and night at 10 PM you, note down the temperature and relative humidity into a notebook. The collection of these numbers and observation is called data. You are collecting data in the form of measurement through observation and reading the numbers from those gadgets. When you process this data into some meaningful form it becomes the information. This information is now organized, structured, and very useful to make decisions. In our example of reading temperature and humidity, the reading shows a pattern when temperature increases it will lead to a decrease in the relative humidity. This information could be sensitive if we change the location from a garage to a nuclear facility. Depending on the classification there could be a requirement to protect that information. An act of protecting this information from unauthorized disclosure, modification, or destruction whether accidental or intentional is called information security.
Information Security covers several aspects of protecting the information, this is presented in the form of a model called CIA Triad. C is Confidentiality, I is Integrity and A is Availability.
ISMS preserves the CIA of Information by applying risk management process.
Confidentiality: Protect the information from unauthorized access. Example- use encryption, access control lists, and file permissions. The opposite of confidentiality is disclosure.
Integrity: Safeguard the accuracy of the information. The opposite of integrity is modification.
Availability: Information must be available when it is needed. The opposite of availability is destruction.
About the ISO 27001 Standard: This is an international standard against which the organization gets certified. This means they meet all the requirements mentioned in the Standard that includes the mandatory clauses and annexure A. This standard provides the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It is not acceptable to exclude clauses 4 to 10 from the requirements to gain conformity to this standard.
Clause 4- Context of the Organization
Clause 5- Leadership
Clause 6- Planning
Clause 7- Support
Clause 8- Operation
Clause 9- Performance Evaluation
Clause 10- Improvement
About the ISO 27002 Standard: This is an international standard that helps the organization to use this as a reference or guidance document for selecting controls within the process of implementing an ISMS based on ISO 27001. This standard is called the Code of Practice. It contains 14 security control clauses, 35 security categories, and 114 controls.
Why is it so important for organizations to get ISO 27001 certification?
ISO 27001 is the only standard for information security management systems. This demonstrates that an organization has identified all its assets, understood the risks, maintain the risk register, have established policies, procedures, guidelines, and baseline, had appropriate security controls to protect from information security breaches. Following are some of the benefits in achieving the certification-
- Have a competitive edge against other organizations.
- Improved confidence with the existing customers and business partners.
- Enhance your organization's brand and reputation.
- Stay compliant with regulatory, commercial, contractual, and legal responsibilities.
- Increased customer satisfaction.
- Improves security posture and prepares for the unknown.
- Culture shift by introducing continuous improvement.
- Risk-based strategies and monitor the effectiveness of those controls.
Conclusion: Implementing the ISMS the right way is very important to meet the requirements. This ensures ISMS meets the objectives set by the organization and effectively reducing the risk to a tolerable level.