Chinese Association of Idaho State University (CAISU)

What is ISO 27001 Certification – The Gateway to Information Security

Yes!!! There is a lot of buzz on information security, like is our company secure in terms of Information security?, How can we check?, is there a Checklist?, what are the information security criteria?, Etc. Solution for this brainstorming would be simple basics of ISO 27001.

WHAT IS ISO 27001 CERTIFICATION?

ISO 27001 standard stands for Information Security Management System (ISMS), it gives a specification for information security, it’s the basic framework of a set of policies, practice & procedure that include a regulatory requirement, Physical, Technical & administrative controls. When we speak about controls, we can simply classify it under three ways along with the department responsible for it;

	Dept Responsible	Examples
Physical or Admin controls	Admin or facility manager	Locks, Alarm systems, Video surveillance
Digital or Technical controls	IT Support or IT Manager
Administrative controls	Human Resource or Management Heads

WHAT ARE THE SIMPLE STEPS TO IMPLEMENT IT SECURITY, IS THERE AN ISO 27001-ISMS CHECKLIST?

Yes!!, there are number of ISMS checklists which you can download for reference. Also, you can reach out to our CertPro professionals for ISMS Checklists.

Based on our research which are generally practiced by top companies, we have simplified the standard to 7 steps and they are;

Step 1: Identify the key areas of the organization.

Step 2: Classify information simply as Confidential, Internal, and public.

Step 3: Define the access for the above and identify the risk involved with it.

Step 4: Invest your resource on securing the most valuable assets and confidential information by selecting the right controls.

Step 5: Monitor controls implemented.

Step 6: Define your back-ups as a Business Continuity Plan.

Step 7: Conduct multiple iterations of audits to narrow down the process.

WHAT ARE THE AREAS OF CONTROL FOR ISO 27001 ISMS & WHAT DOES ISMS CLAUSES MEAN?

There are 10 clauses in ISO 27001:2013 version and they represent; Clause 1 to Clause 3 are non-auditable clause and clause 4 to clause 10 are auditable clauses. All areas of control are explained under clause 4 to clause 10.

Clause 1- Scope

Clause 2- Normative reference Non-Auditable clause

Clause 3- Terms & definition

Clause 4- Context of organization- Organization context, the scope of work, needs 7 expectations of interested parties, Need of ISMS, management commitment towards implementing ISMS.

Clause 5- Leadership- defining roles & responsibility, defining ISMS policy, Commitments for implementing ISMS, a person (CISO- Chief Information Security Officer) or a team (Core Team) to look after all ISMS activity.

Clause 6- Planning – ISMS objectives (Setting short term and long term goals) and plan to achieve those objectives.

Clause 7- Support – Identify the resources, Train your team on ISMS, Evaluate the skills and knowledge of the current system and requirement. Define the internal and external communications, documentation management system.

Clause 8- Operations – Core business activity and planning to achieve, Risk identification while planning & choose the appropriate methodology to treat the risk.

Clause 9- Performance evaluation- Verify, Validate, analysis, Internal audits and management review meetings.

Clause 10- Improvement- Identifying the Areas to be improved, prioritizing & finding the corrective actions, Setting new objectives and goals for the continual improvement.

Annex A is a reference control objectives and controls

查看次数： 1