Build an information security management system in accordance with the ISO 27001 standard
7 December 2017
An information security management system allows you to protect confidential information and manage risks. Granted by an independent, external third party, the ISO 27001 certification is a proof of conformity of the company's information security management system. Read below what you should take into account when building an information security management system in compliance with the ISO 27001 standard.
An information security management system creates procedures and tools
Introduction of an Information Security Management System (ISMS) helps in bringing the organisation's information security risks under control. It allows you to protect confidential information and ensure business continuity under any circumstances. The ISMS covers the physical and electronic data, data mediums and the relevant information security, in other words, the conservation of the confidentiality, integrity, usability and non-repudiation of data. A management system harmonises and clarifies operations and provides clear practical guidelines, tools and methods for correct and secure action in any situation.
ISO 27001 is a standard for information security management
The ISO 27001 standard is an information security management standard of international significance. The standard sets requirements for the development, implementation, use, monitoring, review, maintenance and continuous improvement of information security management systems. By basic structure, the standard is similar to other major management system standards. It uses the same familiar elements as other standards, such as process-style management model, internal audits, management reviews, metrics and analyses.
Take note of the following issues when building an information security management system in compliance with the ISO 27001 standard
Chapters 4–10 of the ISO 27001 standard set the requirements for the procedures, processes and documentation needed.
- Define the organisation and the operating environment and identify the stakeholders and their needs and expectations.
- Taking account of the issues above, define the application area of the ISMS and risk management procedures and the management measures related to each risk.
- Clarify the management's role.
As the name management system implies, the system is about management, and, therefore, the management of the organisation plays a significant role. The commitment of the management to the management system and allocation of the necessary resources, responsibilities and authorisations is one of the basic requirements for the system.
- Define the strategic information security goals in the format of various information security policies.
The binding Annex A to the ISO 27001 standard contains the management goals and means that must be complied with in every respect, if applicable. Based on Annex A, organisations must also draw up a Statement of Applicability (SoA). The SoA describes the applicability of the management goals and means, and justifications if some of them cannot be applied.
Closing a deal may require ISO 27001 certification
ISO 27001 assessment and certification performed by an independent third party serve as proof of conformity in information security management.
A certified ISMS may also be the customer's requirement for accepting a supplier. Certification reduces the need for supplier assessments by the customers or audits performed by other external parties or these can be avoided altogether. By reducing the number of audits and assessments, major savings can be achieved in, for example, working hours.
In addition, the tendering and delivery processes become quicker when customer-specific information security assessments are no longer needed. Capital invested in certification can be regained rapidly in the form of, for example, saved working hours or increased business opportunities.
VTT Expert Services as an ISO 27001 certifier
We perform assessments and certifications of information security systems in accordance with the ISO 27001 standard. Our assessors are experienced and competent and will help your company in matters related to the certification of an information security system. The ISO 27001 pre-audit allows you to determine the maturity level and certification readiness of your company's information security system.
This news was published by VTT Expert Services on 7 December 2017. Now VTT Expert Services is Eurofins Expert Services and part of the Eurofins Group.