- ISO = International Organization for Standardization
- IEC = International Electrotechnical Commission
- ISMS = Information Security Management System
ISO/IEC-27001:2013 is the International Security Standard and Best Practice Guidelines, which details the requirement for an ISMS, for Establishing, Implementing, Maintaining and Continually Improving an ISMS – Information Security Management System within the context of the organization. ISO/IEC-27001 and the Best Practices are Generic and Applicable to all Organizations, regardless of Size, Nature and Type etc.
It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
ISO 27002 is like a set of Guidelines for you, which elaborates 27001. You can’t be certified against ISO 27002 standards. There is no such thing.
- ISO/IEC-27001:2013 Annex comprises 114 # of Controls, divided into 14 Control-Sets/Sections.
To Achieve ISO 27001 Compliance or Certification, Organization needs a Fully-Functional ISMS that meets the Standard’s Requirements.
ISMS is a Documented Security Management System that consists of a Set-of-Security-Controls that protect the CIA Triad i.e. Confidentiality, Availability, and Integrity of Assets from Threats and Vulnerabilities. ISMS Safeguards Organisation’s Information Assets.
To further elaborate, ISMS is a Security-Framework that protects organization from Security Breaches and Shields it from Disruption if and when they do happen. It describes and demonstrates organisation’s approach to Information Security and Privacy. ISMS helps to identify and address the threats and opportunities around Valuable Information and any Related Assets.
There are numerous ways of approaching the implementation of an ISMS. The most common iterative method of continual improvement is PDCA (Plan-Do-Check-Act) Process.
- Plan – To Improve the Current Situation
- Do – Execute the Plan
- Check – Evaluate Results from the Do phase
- Act – Act Upon the Output of the CHECK phase
