The ISO 27001 standard
The ISO 27001 standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organisation’s information security management system.
ISO 27001 was established by the International Organization for Standardization (ISO). It was first launched in 2005, and was reviewed in 2013.
Alignment with existing management systems
ISO 27001 is aligned with other management systems, and supports consistent and integrated implementation and operation with related management standards.
Here are some of its features :
- ISO 27001 is fully compliant with the structure of other management systems, such as ISO 22301 – Business Continuity Management
- ISO 27001 emphasises on a continual process improvement of your information security management system as all other standards do
- Thoroughly describes requirements for documentation and records needed to be in place for an organisation
- Follows the Plan, Do, Check, Act (PDCA) process model as other standards do (e.g. ISO22301 – Business continuity Management )
Protecting your assets
The standard takes a comprehensive and thorough approach to information security. Assets in need of protection range from digital information, paper documents, and physical assets (computers, networks, paperwork, buildings) to the knowledge of individual employees. Issues you might as well have to address range from competence development of staff, including their training records, to technical protection against computer fraud.
ISO 27001 helps you protect your information in terms of the following principles:
- Confidentiality ensures that information is accessible only to those authorized to have access
- Integrity safeguards the accuracy and completeness of information as well as the processing methods in use
- Availability ensures that authorized users have access to information and associated assets on a need-to-know basis
Information Security vs Cyber Resilience
It is important to understand that Information security is a whole different thing that Cyber Resilience in an organisation. While Information Security makes sure that the data and information ( electronic or physical records ) are in place, and follow the CIA triangle above, Cyber Resilience deals with the capacity of the organisation to not allow any break into their systems and their IT perimeter security.
Cyber Resilience or Cyber Security follows a different standard approach, described in PAS 555 document.