By Julie Kendall
Our last post focused on why exactly an ISMS is important to your business. This time, we’re delving into the ISO 27001 standard.
What is the ISO 27001 Information Security Management System?
ISO 27001 is an internationally accepted risk-based information security management standard requiring active participation by business and IT management in assessing their risks and choosing controls best suited to meet their needs in a cost effective manner. Sometimes this standard is referred to as a ‘controls based’ framework. By requiring an ongoing assessment of risks and evaluation of the adequacy of controls intended to mitigate the exposures those risks pose, the ISO 27001 framework can provide management with a significant degree of assurance their information is well protected.
A simple look up of ISMS standards in Wikipedia will note, “some best-known ISMSs for computer security certification are the Common Criteria (CC) international standard and its predecessors Information Technology Security Evaluation Criteria (ITSEC) and Trusted Computer System Evaluation Criteria (TCSEC). Some nations publish and use their own ISMS standards, e.g. the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) of USA, the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA, the German IT baseline protection, ISMS of Japan, ISMS of Korea, Information Security Check Service (ISCS) of Korea.”
How does ISO 27001 compare to other ISMS standards?
The ISO 27001 framework has been accepted by organizations large and small throughout the world as an ideal systematic approach for the identification, assessment, and management of information security risks. By implementing these standards an organization will be able to successfully address the confidentiality, integrity, and availability goals of their information assets and in so doing, prevent and/or minimize the negative impacts of security incidents on an organization.
Who should consider implementing ISO 27001 ISMS standards?
Financial institutions, third party IT servicers, health services, public or governmental agencies, and digital content production entertainment companies all have reasons to take information security very seriously. Legal and regulatory requirements aimed at protecting personal or sensitive information compel organizations to devote considerable effort in their management of information security risks. Intellectual property rights of digitally produced content require third parties to protect the content against unauthorized disclosure or premature distribution so as to ensure expected revenue streams are not negatively impacted. The implementation of ISO 27001 framework standards have been a proven, effective means to achieving those compliance and revenue objectives for many who chose to adopt them.
Stay tuned for the final part of our four-park series, where we’ll talk about what it takes to implement an ISMS.
For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.
About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.