ISO 27001

What is


The ISO/IEC 27001 standard is the only certifiable and auditable standard that defines the requirements for an ISMS (Information Security Management System) and is designed to ensure the selection of appropriate and proportionate security controls.
 
This way a company can protect information and give confidence to stakeholders, especially to its own customers.

The family of ISO 27000 standards, published to date, can be grouped into the following thematic areas:

 
  1. Vocabulary
    • ISO/IEC 27000 - "Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary "
  2. General requirements
    • ISO/IEC 27001 - "Information security management system - Requirements". It is the normative document to which an organization wishing to certify has to refer. 
    • ISO/IEC 27006 - "Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems ". It is the reference standard for certification bodies.
  3. General guidelines
    • ISO/IEC 27002 - "Information technology -- Security techniques -- Code of practice for information security management". Provides non mandatory instructions to protect a company's information assets.
    • ISO/IEC 27003 - "Information technology -- Security techniques -- Information security management system implementation guidance ".  Provides guidelines for planning the implementation of an information security management system in accordance with ISO 27001
    • ISO/IEC 27004 - "Information technology -- Security techniques -- Information security management -- Measurement ". Provides procedures and examples of constructs to define and measure the effectiveness of the Information Security Management System adopted by the organization and the related controls from Annex A.
    • ISO/IEC 27005 - "Information technology -- Security techniques -- Information security risk management ". It provides guidance on the procedures and steps to be taken to properly assess the company's risk, in particular the risk of information security. This standard, in the 2011 version, has been aligned with ISO / IEC 31000 "Risk management - Principles and guidelines".
    • ISO/IEC 27007 – “Information technology -- Security techniques -- Guidelines for information security management systems auditing”. It is a guideline for accredited Certification Bodies (CBs), for internal auditors, external / third party auditors to verify compliance with the requirements of an Information Security Management System in accordance with ISO / IEC 27001.
    • ISO/ IEC TR 27008 – “Information technology -- Security techniques -- Guidelines for auditors on information security controls”. It supports the planning and performing of ISMS audits by adding value by closing the gap between system revisions and, if necessary, implementing the auditing of controls in Annex A of ISO / IEC 27001.
  4. Sector-specific guidelines
    • ISO/IEC 27010 – “Information technology -- Security techniques -- Information security management for inter-sector and inter-organizational communications
    • ISO/IEC 27011 - "Information technology -- Security techniques -- Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 "
    • ISO/IEC 27014 – “Information technology -- Security techniques -- Governance of information security
    • ISO/IEC 27013 - "Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 "
    • ISO/IEC TR 27015 – “Information technology -- Security techniques -- Information security management guidelines for financial servicesISO/IEC 27031 - "Information technology -- Security techniques -- Guidelines for information and communication technology readiness for business continuity "
    • ISO/IEC 27032 – “Information technology -- Security techniques -- Guidelines for cybersecurity
    • ISO/IEC 27033-1 - "Information technology -- Security techniques -- Network security -- Part 1: Overview and concept"
    • ISO/IEC 27033-2 – “ Information technology -- Security techniques -- Network security -- Part 2: Guidelines for the design and implementation of network security
    • ISO/IEC 27033-3 - "Information technology -- Security techniques -- Network security -- Part 3: Reference networking scenarios -- Threats, design techniques and control issues"
    • ISO/IEC 27034-1 – “Information technology -- Security techniques -- Application security -- Part 1: Overview and concepts”
    • ISO/IEC 27035 – “Information technology -- Security techniques -- Information security incident management
    • ISO/IEC 27036-3 - “Information technology -- Security techniques -- Information security for supplier relationships -- Part 3: Guidelines for information and communication technology supply chain security”
    • ISO/IEC 27037 – “Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence
    • ISO 27799 - "Health informatics -- Information security management in health using ISO/IEC 27002"
CSQA is accredited by ACCREDIA.
CSQA can issue internationally recognized certifications through IQNet, being a member of CISQ.

Key points

  • Risk assessment consistent with the reference context;
  • the concept of information (or information resource) with its development;
  • the economic and financial aspects of Information Security;
  • the organizational (and not just technological) aspect of Information Security;
  • the effectiveness of an ISMS and the measures taken to deal with the risks.
  • Of the utmost importance is Annex A, containing the 114 "controls" (or measures) by which the organization intending to apply the standard must abide.
     
    They concern, among others:

     
  • the policy and organization for information security
  • human resources security
  • asset management
  • logic access control
  • cryptography
  • physical and environmental security
  • security of operations
  • security of communications
  • application security management
  • the relationship with the suppliers involved in the management of information security
  • the handling of accidents (relating to the security of information)
  • Business Continuity management
  • regulatory compliance

Benefits

  • Gain a competitive edge by meeting your customers' contractual requirements with particular attention to the security of their information
  • Identify, assess, and manage the organization's risks impartially, while at the same time formalizing processes, procedures, and information security documentation
  • Show impartially the compliance with applicable laws and regulations
  • Show the commitment of corporate executives to ensure information security
  • Ensure constant monitoring of business performance and activate the necessary improvement actions