ISO 27001

 

 

GENERAL INFORMATION

The issues of information security (IS) for a modern organization are vital. The availability of an information security management system in accordance with the  international standard ISO/IEC 27001 requirements  will help the organization to conserve its assets and ensure the information integrity, reliability and confidentiality.

Since 2005, more than 20,000 companies worldwide have passed the certification audit for compliance with the  ISO/IEC 27001 standard (according to the IRCA) requirements. Standard 27001 is the source of best practices in the design of management systems, applicable to almost any organization, regardless of ownership, type of activity, size and external conditions. It is technologically neutral and always leaves a choice of technologies.

The Information Security Management System (ISMS) is part of a common management system based on a business risk approach, with the goal of creating, implementing, maintaining, continuously monitoring, analyzing, maintaining and improving information security.

The main elements of the ISMS:

  • protection against unauthorized access (NID) to systems;
  • ncluding internal protection against the NDS of employees of the organization;
  • authorization and authentication;
  • data transmission channels protection, ensuring integrity;
  •  ensuring the data relevance in the exchange of information with customers;
  • electronic document management;
  • ISMS incidents management;
  • business continuity management;
  • ISMS internal and external audit.

The main Standard's objectives:

  • unified requirements establishment for ensuring organizations information security ;
  • ensuring interaction of management and employees;
  • increasing the measures effectiveness to ensure and maintain organizations information security.

 

HISTORY OF THE STANDARD

 

  • In 1992, the UK Department of Trade and Industry published the Code of Practice for Information Security Management.
  • In 1995, the British Standards Institute (BSI) adopted the Information Security Management Code as the national standard for the UK and registered it under the number BS 7799 - Part 1.
  • In 1998, BSI published the standard BS7799-2, consisting of two parts, one of which included a set of practical rules, and the other - requirements for information security management systems. In the standard, the procedure for improving the IS security measures was presented in accordance with the Plan-Do-Check-Act, as well as the system approach to measure management.
  • In the course of the following revisions, the first part was published as BS 7799:1999, Part 1. In 1999, this version of the standard was revised and transferred to the International Organization for Certification.
  • In 2000 it was approved as an international standard ISO/IEC 17799:2000 (BS 7799-1:2000). The latest version of this standard, adopted in 2005, is ISO/IEC 17799:2005.
  • In September 2002, the second part of the standard BS 7799 Part 2 Information Security Management - specification for information security management systems entered into force. The second part of the BS 7799 was revised in 2002, and at the end of 2005 ISO was adopted as the international standard ISO/IEC 27001:2005 "Information technology - Security methods - Information security management systems - Requirements".
  • In 2005, the ISO / IEC 17799 standard was included in the 27 series of standards and received a new number - ISO/IEC 27002:2005.
  • On September 25, 2013, the updated ISO/IEC 27001:2013 "Information Security Management Systems - Requirements " was published. Changes have affected both the structure of the standard and requirements.

The ISO 27001 standard provides:

  • objectives definition and the direction and principles of the activity representation  regarding information security;
  • assessment and risks management approaches identification in the organization;
  • information security management in accordance with applicable laws and regulations;
  • use of a unified approach in the creation, implementation, operation, monitoring, analysis, support and improvement of the management system so that the goals in the information security field are achieved;
  • information security management system processes definition;
  • determining the status of activities to ensure information security;
  • internal and external audits use to determine the compliance degree of the information security management system with the standard's requirements;
  • providing adequate information to partners and other stakeholders on the information security policy.

IMPLEMENTATION (CERTIFICATION) BENEFITS

• increasing the clients, partners and other stakeholders trust;
• increasing the organizations functioning stability;
• obtaining international recognition and strengthening the company's image in the domestic and foreign markets;
•  adequate measures achievement to protect against real information security threats;
• prevention and (or) reduction of damage from information security incidents;
• demonstration of a certain level of information security to ensure the confidentiality stakeholders information;
• increasing the intangible assets value, reducing the insurance premiums,  making the company's value higher;
• transaction costs reduction and exclusion of "cross-financing" within the framework of a single ISMS;
• company opportunities expansion to participate in large state contracts;
• can significantly facilitate the audits implementation for compliance with PCI DSS, ISO/IEC 20000-1.

What are the ISO / IEC 27001 implementing benefits?

The main benefit of creating and implementing the ISMS in accordance with the requirements of ISO / IEC 27001 is independent proof of the stability and reliability of the organization's business processes, including:

  • organization confidence increasing;
  • organization stability increasing as a whole;
  • adequate measures achievement to protect against real threats to information security ;
  • prevention and/or reduction of damage from information security incidents.

Economic benefits are:

  • independent confirmation of the fact that the organization has properly implemented risk management, the corresponding procedures of management systems are developed and implemented, constantly analyzed and improved by competent and responsible personnel;
  • evidence of compliance with existing laws and regulations (implementation of the mandatory requirements system);
  • senior management commitment and responsibility proof  to ensure the management system in the required volume for the entire organization in accordance with established requirements;
  • demonstration of a certain level of "maturity" of management systems to ensure a high level of service to customers and partners of the organization;
  • demonstration of regular audits of management systems, evaluation of performance and continuous improvements.

A useful advantage is effective management of outsourcing through clear criteria for evaluating service providers and the responsibility of both parties.
A competitive advantage is the proof that the organization's IS processes can meet the needs of external users in the long term, risks are assessed and managed.
ISMS certification for compliance with ISO/IEC 27001, respectively - is the only generally accepted in the world practice, confirmation of compliance with international requirements. Statistics show that organizations that have international certificates of compliance with ISMS standards receive discounts comparable to the costs of certification.

 


WHY BELPROJECTCONSULTING?

Contacting us for developing an information security management system in accordance with ISO/IEC 27001, you can get:

  • сonfirmation of the information security management system compliance by the leading certification body in Russia with the international accreditation ANAB (American National Accreditation Board);
  • certificate of compliance with the requirements of the national standard of the РФ ГОСТ Р ISO/IEC 27001-2006;
  • certificate of compliance with the requirements of ISO/IEC 27001:2013 International network of IQNet certification bodies;
  • possibility to pass integrated management system certification  for compliance with the 2 and more standards requirements;
  • ability to use the transfer procedure;

 

GENERAL WORK PLAN AND DOCUMENTATION DEVELOPED BY BPC

 

  • preliminary determination of the ISMS scope in accordance with the ISO/IEC 27001:2013 requirements (carrying out a questionnaire to localize and identify the most critical business processes from the information security point of view);
  • contract conclusion for the ISMS development and implementation under ISO / IEC 27001:2013 ;
  • familiarization with the documents on the customer main activities, including the management structure, the charter, the staffing table, licenses, types of work
  • definition of the ISMS scope and the list of documentation required for the information security management system
  • preparation of ISMS development, implementation and certification program  

ISMS, organizational and administrative documentation development:

Methodological assistance in the organizational and administrative documentation development for the implementation and maintenance of the ISMS:
-The order on ISMS creation;
- Annex A analysis (Basic objectives and management tools ISO/IEC 27001:2013 on the definition of the required documents list in accordance with the actual scope of the ISMS);
Draft Regulations, ISMS Policy and consulting on their implementation:
- Information Security Policy (5.2, 6.2)
- Access Control Policy (A.9.1.1)
- Supplier's security policy (A.15.1.1)

 

  • Development of ISMS documentation:

-STP "Documentation Management" - Description of the ISMS processes operating in the certification scope.
-STP "Internal audit"
-Procedure for risk assessment and processing (STP or SWOT analysis)
-Report on risk assessment
-Release risk plan
-STP "Records Management"
-STP «Order and elimination of malfunctions»
-STP "Incident Management"
-STP "Access Control"
-STP "Personnel and ISMS"
-STP "Business Continuity"
-STP " ISMS asset Management"
-STP "Compliance with legislative and contractual requirements"
-STP "Safe systems Engineering Principles"
-STP "Information Systems Security"
-STP "Communication Systems Security"
-STP "Relations with suppliers"
-SMIS guide
- Orders for the ISMS documents introduction

Providing methodological assistance in organizing training planning for ISMS requirements (training plan);

  • providing methodological assistance in the unification and streamlining of work with personnel job descriptions and the Provisions on units (if necessary) regarding the implementation of ISMS requirements;
  • methodological assistance in setting up the group of organization internal auditors  in accordance with the requirements of ISO/IEC 27001:2013;
  • meeting with the organization top management and a auditors group on the requirements and principles of conducting internal audits;
  • methodological assistance in organizing internal audits;
  • joint internal audit of the ISMS for compliance with the requirements of ISO/IEC 27001:2013;
  •  methodological assistance in documenting the internal audit results;
  • meeting with organization top management and a auditors group on the internal audit results;
  • providing methodological assistance in drawing up a report (s) for monitoring and analyzing information security of the process (s) localized in the ISMS action field;
  • providing methodological assistance in drafting a report (s) for analyzing the functioning of the ISMS by top management;
  •  providing methodological assistance in the documents filing for certification;

Depending on the organization activity type and the information security management system localization for its business processes, the list of works and documents being developed can be changed!

Задать свой вопрос