What Is ISO/IEC 27001:2013 and Why Does It Matter in Information Security
- ISO = International Organization for Standardization
- IEC = International Electrotechnical Commission
- ISMS = Information Security Management System
ISO/IEC-27001:2013 is the International Security Standard and Best Practice Guidelines, which details the requirements for an ISMS, for establishing, implementing, maintaining, and Continually Improving an ISMS – Information Security Management System within the context of the organization. ISO/IEC-27001 and the Best Practices are Generic and Applicable to all Organizations, regardless of Size, Nature, and Type, etc.
Risk Management and Security Requirements for Organizations
It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
Difference Between ISO 27001 and ISO 27002
ISO 27002 is like a set of Guidelines for you, which elaborates on 27001. You can’t be certified against ISO 27002 standards. There is no such thing.
Annex A – Overview of ISO/IEC-27001:2013 Control Sets
- ISO/IEC-27001:2013 Annex comprises 114 # of Controls, divided into 14 control sets/Sections.
To achieve ISO 27001 Compliance or Certification, an Organization needs a fully functional ISMS that meets the Standard’s Requirements.
Purpose of an ISMS in Cybersecurity and Risk Mitigation
ISMS is a Documented Security Management System that consists of a set of security controls that protect the CIA Triad, i.e., Confidentiality, Availability, and Integrity of Assets from Threats and Vulnerabilities. ISMS Safeguards Organisation’s Information Assets.
Benefits of Implementing an ISMS Framework
To further elaborate, ISMS is a security framework that protects the organization from Security Breaches and Shields it from Disruption if and when they do happen. It describes and demonstrates the organisation’s approach to Information Security and Privacy. ISMS helps to identify and address the threats and opportunities around Valuable Information and any Related Assets.
The PDCA Cycle: A Method for Information Security Management System Continual Improvement
There are numerous ways of approaching the implementation of an Information Security Management System. The most common iterative method of continual improvement is the PDCA (Plan-Do-Check-Act) Process.
- Plan – To Improve the Current Situation
- Do – Execute the Plan
- Check – Evaluate Results from the Do phase
- Act – Act Upon the Output of the CHECK phase