ISO/IEC 27001 is recognised as an established approach to building effective information security in any organisation. More and more organisations are choosing to adopt the standard whether that be to improve security, build confidence and trust amongst customers and business partners or to fulfil contractual obligations.
ISO/IEC 27001 is known as a management system standard. A management system is essentially an approach to managing a particular area and involves a collection of policies, procedures, processes, people and technologies to deliver required outcomes, in this case effective management of information security risk. ISO have produced many other well known management system standards including ISO 9001 (Quality Management System), ISO 14001 (Environmental Management System), ISO 22301 (Business Continuity Management System) etc. All of these management systems are similar in the sense that they all have one thing in common, which is to develop an approach to manage a given area of risk or to meet requirements.
In 2012 ISO developed Annex SL which basically provides a standardised structure for common management systems regardless of topic area. This has brought many benefits such as a standardised way of addressing management issues and the ability for organisations to build “integrated management systems” to address multiple topics with one management system approach. It has also lead to the possibility to streamline the audit and certification process.
Whilst these are certainly significant benefits this has created some belief in industry that ISO/IEC 27001 is “just another management system” or is an “add on to ISO 9001” and has lead to the implementation of Information Security Management Systems (ISMS) which look effective “on paper” but which are not delivering real security benefits based on risk.
In order to get true value from an ISO/IEC 27001 ISMS it is essential the those implementing or auditing ISO/IEC 27001 have real information and cyber security expertise (or have access to such expertise), to help organisations really understand their security risk and to identify the suitable solutions. ISO/IEC 27001 includes Annex A, a list of 114 security controls broken into control objective areas covering many aspects of information security with areas as diverse as network security, systems development security, operational security, human resources security, cryptography, asset management, incident management, continuity and compliance.
If such controls are to really be selected, designed and implemented effectively they need to be understood and appropriately tailored depending on the organisations business requirements, customer and stakeholder requirements, compliance obligations and risk profile. In a similar way the implementation of an ISO 45001 management system for Heath and Safety would need expertise in this area to develop genuine solutions to Health and Safety problems.
ISO/IEC 27001 is a management system which can deliver many benefits in laying the foundations for an organisation to really control and manage its security challenges which can in some cases be complex and ever moving. These challenges however, can only really be met when an ISMS is developed and implemented with a full understanding and knowledge of the very challenges and solutions that ISO/IEC 27001 is designed to address.
For more information on how Parker Solutions Group can support your organisation in implanting a value adding ISO/IEC 27001 ISMS contact email@example.com