Introduction to ISO 27001

ISO 27001:2013 (previously known as ISO/IEC 27001:2005) specifies the requirements for an information security management system whose scope includes all policies and procedures related to legal, physical and technical documentation control and its effective implementation for minimization of risks.

Six Part Planning Process of ISO 27001

  • Security Policy: Define a security
  • Scope: Define the scope of  information security management system.
  • Risk Assessment: Conduct Risk assessment.
  • Risk Identification: Manage to minimize identified risks.
  • Control Objectives Settings: Minimize risks by selecting control objectives and other controls that need to be implemented.
  • Statement of Applicability: Thoroughly prepare a statement of applicability.

Process Approach of ISO 27001

The process approach of ISO 27001 signifies founding, applying, operating, monitoring, reviewing, maintaining and improving an organization’s internal Security Management System often abbreviated as (ISMS).

The process approach of ISO 27001 signifies the emphasis on:

  • Setting up the policy and goals for security of information and have in depth understanding about information security requirements.
  • Managing information security risks in order to implement and operate control to manage security of information.
  • Periodic monitoring and reviewing of performance effectiveness of ISMS.
  • Objective measurement and tracking based on continual improvement methodologies that ensures customer’s satisfaction to the utmost levels.

However, PDCA (Plan Do Check Act) model has been adopted by International standards which reflects a robust approach for flourishing continual improvement cycle and implementation of principle guidelines related to risk assessment and security’s design, implementation, reviewing, management and re-assessment.

Purpose of ISO 27001

ISO 27001 magnifies the importance of all mandatory requirements to protect system’s information and its integrity at all costs.

How ISO 27001 works?

It works on risk management and its reduction in order to protect system’s confidentiality and fill any potential gaps  (if identified).

Structure of ISO 27001

Section 0: Illustration of ISO 27001 working principle and its compatibility with other ISO standards.

Section 1: Defines scope and applicability

Section 2: Refers to ISO 27001 reference and definitions

Section 3: Refers to relevant terms and its contextual explanation

Section 4: Defines organizational context with significant relevance to Plan part of PDCA cycle

Section 5: Magnifies the leadership and top management commitment by clearly defining top down roles and responsibilities of team mates.

Section 6: Defines how to Planning works in PDCA by defining essentials for risk management and its minimization and helps to create Risk Treatment plan by establishing system security goals.

Section 7: Signifies the importance of availability of helping resources, creating awareness and building up competency level of employees about ISO 27001 and its requirements.

Section 8: Denotes “Do” phase of PDCA cycle and explains step by step implementation of risk minimization, risk assessment and risk treatment.

Section 9: Refers to “Check” step of PDCA cycle where tools like Internal auditing techniques, gap analysis, identified gaps closure, Evaluation in Management reviews are being used.

Section 10: Continuous Improvement cycle runs in the form of PDCA’S “Act” step where major and minor non-conformity are being hunted and opportunities for improvement (OFI) are being highlighted.

Implementing an Information Security Management System aligned with ISO 27001

Following are the 10 key steps that one should milestone during implementation of ISO 27001:

  • Define the Scope of Information Security Management System
  • Develop a policy for Information Security & Objectives
  • Execute Gap analysis
  • Identify Risk by doing risk assessment
  • Establish Risk Treatment Plan
  • Effective Documentation and its control
  • Rolling out Employees’ Training Programs
  • Conduct periodic Internal Audit
  • Conduct periodic Management Reviews
  • Selection of ISO certification body & get certified

How PDCA cycle and Continuous Improvement Methodology Apply to Information Security Management System?

Plan Do Check Act cycle abbreviated as (PDCA) applies in ISMS as follows:

  • Plan: Plan to set up ISMS policy, objectives, processes and procedures that help to minimize risks and improve system security.
  • Do: Implementation and effective operation of ISMS policy, controls and processes.
  • Check: Monitoring, verification and periodic review of ISMS performance indicators and its tracking
  • Act: Maintain and improve continuously by applying corrective  action approach.

What to Verify In Information Security Management System Internal Audits?

Periodic ISMS internal audits should be carried out after regular intervals of time to verify whether adherence of ISMS guidelines are being done or not. The current ISMS should conform to:

  • All Requirements of ISO 27001.
  • Effective implementation and maintenance of the adherence of ISO 27001 clauses.
  • Continuous improvement via corrective and preventive actions approach

How Corrective Actions Approach Works in Information Security Management System?

Corrective actions are the actions that are taken to eliminate the cause of non-conformity in order to prevent their recurrence. Those corrective actions should be implemented that define mandatory requirements for:

  • Identification of non-conformity
  • Cause determination of non-conformity
  • Implementation of corrective actions
  • Evaluation of corrective actions based on their repetition and sustainability
  • Result Recording of Implemented Corrective Actions
  • Periodic review of corrective actions taken

 Enlisted Other Related Information Security ISO Standards

  • ISO 27002
  • ISO 27004
  • ISO 27005
  • ISO 22301
  • ISO 9001

Looking to get ISO 27001 certification for your business?

What questions do you have and how can we help?