ISO 27001 is the international standard for Information Security Management Systems (ISMS). This standard, closely linked to the 27x family in general and to ISO 27002 in particular, supports organizations in meeting their regulatory compliance objectives in terms of IT security (IS Information System, i.e. IT) and help them prepare and position themselves for new and emerging regulations related to IT or other subjects of society (CSR for example)
An asset can be defined as "anything of value to an organization". Information and intangible assets are subject to various threats, both external and internal. Risks include natural disasters (drowned computer room), fraud and other criminal activity (ransonware), user errors and system failures.
ISO27000 defines effective information security by "preserving the confidentiality, integrity and availability of information"
- Confidentiality: "the property that information is not disseminated or disclosed to unauthorized persons, entities or processes".
- Integrity: "the property to protect the accuracy and completeness of assets".
- Availability: "the property of being accessible and usable on demand by an authorized entity", which gives the possibility for the information to be accessible by computer peripherals (software, hardware, connected objects, etc.) as well as by human users
Implementation of an ISMS
An ISMS, which standard is clearly defined, means "the organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources". We find there the 3 structuring components:
- P: People: user behavior;
- P: Process: the process (or procedure);
- P: Product: technology (or product).
Like all projects, it is recommended to produce a framing note under the responsibility of management and registration for strategic objectives, thus having the support of management. Eiwler supports you in all stages of the project to secure your Information System.
ISO 27002, 17 chapters to be considered in the ISMS project
◈ Field of application
◈ Normative references
◈ Terms and definitions
◈ Structure of this standard
◈ Information security policies
◈ Information security organization
◈ Human resources security
◈ Asset management
◈ Access control
◈ Physical and environmental security
◈ Operational safety
◈ Communications security
◈ Acquisition, development and maintenance of information systems
◈ Supplier relationships
◈ Management of information security incidents
◈ Information security aspects in business continuity management
Contents of the ISMS documentation
The documentation must be complete, exhaustive, in accordance with the requirements of the standard and adapted to the needs of each organization. ISO27001 describes the minimum documentation to be included in the ISMS and in particular the production of the document entitled Declaration of Applicability or DoA, the definition of which is “Documented declaration describing the security objectives, as well as the appropriate measures applicable to the ISMS of an organism. "
PDCA cycle and implementation of an ISMS
Plan (establish the ISMS):
- Define the organization and its context;
- Determine the scope of the ISMS;
- Define the information security policy;
- Determine a systemic approach for risk assessment;
- Carry out a risk assessment in order to identify, within the framework of the policy and the ISMS, the important information assets of the organization and the risks which result therefrom;
- Map the risks;
- Identify and evaluate the options related to the treatment of these risks;
- Select, for each risk treatment decision, the control objectives and controls to be implemented;
- Prepare a declaration of applicability (DoA): this is the document describing the security objectives, as well as the appropriate measures applicable to the ISMS of an organization.
Deploy (implement and operate the ISMS):
- Formulate the risk treatment plan and its documentation, including the planned processes and detailed procedures.
- Implement the risk treatment plan and planned controls.
- Provide appropriate training to affected personnel, as well as awareness programs.
- Manage operations and resources in accordance with ISMS
- Implement procedures to quickly detect and respond to security incidents.
Control (monitor and measure ISMS):
- Monitoring, review, testing and auditing is an ongoing process that should cover the entire system.
Act (maintain and improve the ISMS):
- Cropping: the results of tests, internal controls and verifications should be reviewed by management, as well as the ISMS, depending on the evolution of the risk environment, technology or any other circumstance; improvements to WSIS should be identified, documented and implemented by iterations.
- “Continuous improvement” process.
Risk assessment process
The seven steps to perform a risk assessment
1) Identify the risks associated with the loss of confidentiality, availability and integrity of the value chain;
2) Identify those responsible for monitoring risks;
3) Evaluate the consequences that may result from the materialization of an identified risk;
4) Assess the probability of this risk occurring
5) Determine the risk levels;
6) Compare the results of the analysis with the risk criteria;
7) Prioritize risk treatment.