What is ISO 27001? The International Standard of Organization is an international organization for software, hardware, electrical and electronics standards. The organization was established in 1987 with the mission of developing benchmarks for quality management. The group was charged to develop a system of identification of quality systems and performance indicators. In order for a product to meet these requirements, it had to be proven to be in congruence with the ISO standards and the latest technological developments.
Why ISO 27001 is important? ISO provides a set of international standards and systems that help companies determine whether or not their technology meets the international standard. This helps avoid the cost and risks associated with not meeting these standards and provides a benchmark of security threats. Everyone has to meet the general requirements, which include:
Continuous Improvement and Validation ISO 27001 specifies a continuous improvement philosophy and applies it to every aspect of the business and its operations. It focuses on the maintenance of standards and systems that have been established based on the assessment of risk and assurance of security. If your organisation wishes to join the organisation, they first need to comply with the basic requirements, which include: adoption of policies and procedures, assessment of risks, documentation and testing. Once you become a member, you will be provided with continuous improvement resources such as training, documentation, and advisory opportunities. You will also be provided with continued access to resources for real-time incident management and validation.
Incident Management involves responding to security events. An incident management system (IMS) is designed to minimise the potential impact of security events on your business and identify and respond to problems before they take place. If a problem does occur, the IMS will first conduct an assessment to determine what caused the problem and notify the relevant individuals. If the problem cannot be traced back to an IT problem, the incident management team will conduct a review of the premises to establish what actions would have been taken in the circumstances to minimise the risk to your organisation. In addition to providing advice on what actions were taken, the IMS will collect and store all relevant data relating to the incident, which will be used for analysis. The aim of the IMS is to minimise the risk to the IMS itself and the risk to your staff and your customer.
Risk Assessment As part of the continuous improvement process, an ISO 27001 accredited project manager conducts risk assessments, following the guidelines set out by the International Standard for Information Security Management System (ISSS S) 2021. Prior to the initiation of a risk assessment, all relevant personnel and other personnel who are involved in the organisation’s activities are informed about the purpose, results, risks and consequences of the assessment. A risk assessment will determine the highest level of risk to the organisation and identify actions required to mitigate this risk. Once the risk assessment has been completed, a risk treatment will be developed, in line with the objectives of the risk assessment.
Training An ISO 27001 qualified training officer performs the functions of an IMS supervisor. They supervise the procedures that the IMS supervisor and other personnel take to identify and report risks to the organization. The training courses provided by the IMS ensure that employees are trained in the detection and reporting of risks to the relevant personnel and to the organization, and also in the procedures for handling and controlling the risk data. This training is incorporated into the ISO 27001 information security controls instruction.
Information Security Control ISO 27001 certification is not a mandatory certification, however it is still an important indicator of an organization’s compliance to international standards. It shows that an IMS has met the requirements for passing the ISO 27001 certification examination. An individual can seek certification through different channels, including the Accreditation Council for Information Security Management (ACISM), the Information Security Management Association of South Africa (ISMA), and the American Institute of Information Security Management (AISSM).
An individual who is considering obtaining certification should evaluate their knowledge, skills, and required training and certification requirements in accordance with the procedures set out by the organization they wish to join. It is then necessary to evaluate whether they have the skills, experience, and continuing education to pass the certification examination. It is also necessary to follow the procedures that are set out by the institution in question, and to follow the regulations laid out by the various branches of government that governs the ongoing maintenance and development of a continuous management system.