ISO 27001:2013 is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity, and availability of information as well as legal compliance. An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process to help organizations of any size, within any industry, keep business information assets secure.
Organizations of all types and sizes collect, process, store and transmit information in many forms. This information is valuable to an organization’s business and operations. In today’s interconnected and mobile world, information is processed using systems and networks that employ state-of-the-art technology. It is vital to protect this information against both deliberate and accidental threats and vulnerabilities. Effective information security assures management and other stakeholders that the organization’s assets are safe, thereby acting as a business enabler.
​
With the increasing severity of data breaches in today's digitized world, ISMS is crucial in building up your organization's cyber security. Some benefits of ISMS include:
-
Increased attack resilience: ISMS improves your ability to prepare for, respond to and recover from any cyber-attack.
-
Manage all of your data in one place: As the central framework for your organization's information, ISMS allows you to manage everything in one place.
-
Easily secure any form of information: Whether you want to protect paper-based, cloud-based or digital info, ISMS can handle every kind of data.
-
Reduce the costs of information security: With the risk assessment and prevention approach provided by ISMS, your organization can reduce the costs of adding layers of defensive technology after a cyber-attack that aren't guaranteed to work.
ISO 27001 helps organizations to keep secure both their information assets and those of their customers. It provides requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It can be used by internal and external parties to assess the ability of an organization to meet its own information security requirements.
This International Standard has been prepared to provide requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The adoption of an ISMS is a strategic decision for an organization. The establishment and implementation of an organization’s ISMS is influenced by the organization’s needs and objectives, security requirements, the organizational processes used, and the size and structure of the organization.
The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It is important that the ISMS is part of, and integrated with, the organization’s processes and overall management structure, and that information security is considered in the design of processes, information systems, and controls. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization.
This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements. It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size, or nature.
If your organization does not already have Information Security Management System (ISMS), the ISO 27001 standard and the companion ISO 27002 document can be used to establish one. And once your organization has established your organization’s ISMS, you can use it to demonstrate that your organization is capable of keeping business information assets secure, and continually improving both its products and services and its practices and processes.
ISO 27001 requirements are underpinned by universal Information Security best practices which help your organization with
Cyber Security strategy
Downtime Reduction
Management Systems
Security Policy
Threat Mitigation
Compliance Checklis
IT Governance
Loss Prevention
GDPR Compliance
Asset Protection
Incident Management
Data Breaches
The ISO 27001 Standard is comprised of 10 clauses/sections which describe the universe of requirements that must be met by an organization seeking certification of their organization’s ISMS.
Clause / Section | Clause / Section Objective |
|---|---|
1 | Introduction |
2 | Definitions |
3 | Overview |
4 | Context |
4.1 | Understand your organization and its unique context |
4.2 | Clarify the needs and expectations of interested parties |
4.3 | Define the scope of your Information Security Management System (ISMS) |
4.4 | Develop an ISMS and establish documented information |
5 | Leadership |
5.1 | Provide leadership by focusing on security of business information assets |
5.2 | Provide leadership by establishing a suitable information security management plan and policy |
5.3 | Provide leadership by defining roles, responsibilities, and authorities |
6 | Planning |
6.1 | Define actions to manage risks and address opportunities |
6.2 | Set information security objectives and develop plans to achieve them |
6.3 | Plan your Information Security Management System |
7 | Support |
7.1 | Support your ISMS by providing the necessary resources |
7.2 | Support your ISMS by ensuring that people are competent |
7.3 | Support your ISMS by explaining how people can help |
7.4 | Support your ISMS by managing your communications |
7.5 | Support your ISMS by controlling documented information |
8 | Operations |
8.1 | Develop, implement, and control your operational processes |
8.2 | Conduct regular information security risk assessments |
8.3 | Implement your information security risk treatment plan |
9 | Evaluation |
9.1 | Monitor, measure, analyze, and evaluate ISMS performance |
9.2 | Use internal audits to examine conformance and performance |
9.3 | Carry out management reviews and document your results |
10 | Improvement |
10.1 | Determine improvement opportunities and make improvements |
10.2 | Control nonconformities and take appropriate corrective action |
10.3 | Enhance the suitability, adequacy, and effectiveness of your ISMS |
Clause / Section 4.
Context
Context asks you to start by understanding your organization and its context before you develop its process-based Information Security Management System (ISMS). It asks you to consider the external and internal issues that are relevant to your organization's purpose and strategic direction and to think about the influence these issues could have on its ISMS and the results it intends to achieve. This means that you need to understand your organization's external environment, its culture, its values, its performance, and its interested parties before you develop its ISMS. You also need to understand your organization’s approach to governance, its capabilities, its contracts, its stakeholders, and its environmental conditions before you develop its ISMS. Why? Because your ISMS will need to be able to manage all these influences. Once you have considered all of this, you are ready to define the scope of your ISMS and to begin its development.
Clause / Section 5.
Leadership
Leadership asks your organization's top management to provide leadership for its ISMS by showing that they support it, by expecting people to focus on information security and on customers, by expecting them to comply with the information security policy, and by expecting them to manage risks and opportunities. Section 5 also expects top management to establish a information security management plan and policy, and to assign ISMS roles, responsibilities, and authorities.
Clause / Section 6.
Planning
Planning asks you to plan the development of your ISMS. It asks you to address the risks and opportunities that could influence your organization's ISMS or disrupt its operation and to consider how its context and its interested parties could affect its ISMS and the results it intends to achieve. Section 6 also asks you to assess your organization’s information security risks, to select risk treatment options, to choose the information security controls that are needed to implement these options, and to formulate a risk treatment plan. Finally, it asks you to establish information security objectives at all relevant levels and for all relevant functions within your organization and to develop plans to achieve these objectives
Clause / Section 7.
Support
Support asks you to support your ISMS by managing communications and by providing the necessary resources. It asks you to provide competent people, to provide an appropriate process infrastructure and environment, to provide suitable monitoring and measuring technologies, to provide the knowledge that is needed to facilitate process operations, and to provide documented information.
​
It asks you to start by figuring out how extensive your documented information should be and then asks you to select and include all the documentation your organization needs in order to ensure that its processes are being carried out as planned and all the documentation it needs in order to comply with the ISO 27001 standard. It asks you to manage the creation and modification of this documentation and to control how it is used.
Clause / Section 8.
Operations
Operations asks you to establish the processes necessary to meet its information security requirements, to carry out the actions needed to address its information security risks and opportunities, and to implement the plans needed to achieve its information security objectives.
​
Section 8 also asks you to perform regular information security risk assessments, to prioritize your risks, and to maintain a record of risk assessment results. And, finally, it asks you to implement your information security risk treatment plans and to maintain a record of your risk treatment results.
Clause / Section 9.
Evaluation
Evaluation asks you to monitor, measure, analyze, and evaluate the performance of your organization's ISMS. It asks you to monitor customer satisfaction, to evaluate monitoring and measuring results, to audit conformance and performance, and to review the suitability, adequacy, and effectiveness of your ISMS.
Clause / Section 10.
Improvement
Improvement asks you to identify opportunities, to identify nonconformities, to take corrective actions, and to enhance the suitability, adequacy, and effectiveness of your organization's ISMS.