ISO 27001:2013

Information Security Management System (ISMS)

ISO 27001 is a management system published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), which lays out requirements for an information security management system. An ISMS is a framework to help any organization develop policy, procedures and controls that will enable better protection of its digital resources. It allows organizations to demonstrate to stakeholders that sensitive data and resources are safeguarded against attacks and loss. A certification issued by a third party ‘registrar’, attests to the fact that your organisation has been certified against the ISO 27001 requirements.

Adhering to this standard involves having all the necessary security measures such as firewalls and intrusion detection systems in place to ensure that you’re not exposed to hackers who might want to tamper with any of your sensitive, private information.

Advantages:-

ISMS identifies the systematic structure of an information security management system. It also describes the requirements for such systems. This comprehensive approach offers many decisive advantages:

  • Increased security awareness among employees and interested party
  • Reduced risk of management liability
  • Cost savings through avoid incidents in information security management
  • Contribution to safe guarding business continuity
  • Legal certainty through systematic adherence to relevant laws on business processes and data privacy

ISO 27001:2013 Clause 8 Operation

This clause of the standard defines the requirements necessary to operate an ISMS. They include the following key elements:

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

 

8.1 Operational planning and control

Organization shall Plan, implement and control the processes.

Organization shall implement plans to achieve information security objectives.

Organization shall control planned changes and review the consequences of unintended changes.

 

8.2 Information security risk assessment

Perform information security risk assessments at planned intervals.

Or when significant changes are proposed or occur.

Documented information on the results of the information security risk assessments.

 

8.3 Information security risk treatment

Organization shall implement the information security risk treatment plan. The organization shall retain documented information on the basis of the results of the information security risk treatment.