ISO/IEC 27001 Information Security Management

Keep your confidential information safe

You simply can’t be too careful when it comes to information security. Protecting personal records and commercially sensitive information is critical. ISO/IEC 27001 helps you implement a robust approach to managing information security (infosec) and building resilience.

About ISO/IEC 27001

Internationally recognized ISO/IEC 27001 is an excellent framework which helps organizations manage and protect their information assets so that they remain safe and secure. It helps you to continually review and refine the way you do this, not only for today, but also for the future. That’s how ISO/IEC 27001 protects your business, your reputation and adds value. ISO/IEC 27001 helps make businesses more resilient and responsive to threats to information security. It helps keep your business secure so you can focus on doing “business as usual” whilst clearly showing clients and suppliers your commitment to protecting information. Today, in this highly interconnected world, it is important for organizations to ensure their operations are run efficiently and that data is secure. And with the increase in use protecting data is getting harder:

  • 75% of organizations do not believe that all their business data is completely secure
  • 90% of organizations had a breach in 2014 2
  • $400 bn is the estimated cost of cybercrime

By focusing on the key risks to your organization, you can reduce the threats and impact. Third party certification can provide additional reassurance to key stakeholders that risks are being managed effectively.

Leading benefits of ISO/IEC 27001 experienced by BSI customers:

We spend lots of hours each year improving the performance of business in Azerbaijan. This experience and the biggest projects such as Ministry of taxes and Central Bank of Azerbaijan allows us to see first-hand how ISO/IEC 27001 can help organizations to continually improve and deliver real benefits.

What is ISO/IEC 27001 certification?

ISO/IEC 27001 is an internationally recognized best practice framework for an information security management system (ISMS). It helps you identify risks and puts in place security measures that are right for your business, so that you can manage or reduce risks to your information.

By achieving ISO/IEC 27001 certification you can demonstrate that your ISMS meets international best-practice and show customers, suppliers, and the market place that your organization has the ability to handle information securely.

Clause 1: Scope The first clause details the scope of the standard.

Clause 2: Normative references All the normative references are contained in ISO/ IEC 27000, Information technology – Security techniques – Information security management systems – Overview and vocabulary, which is referenced and provides valuable guidance.

Clause 3: Terms and definitions Please refer to the terms and definitions contained in ISO/IEC 27000. This is an important document to read.

Clause 4: Context of the organization This is the clause that establishes the context of the organization and the effects on the ISMS. Much of the rest of the standard relates to this clause. The starting point is to identify all external and internal issues relevant to your organization and your information or information that is entrusted to you by 3rd parties. Then you need to establish all “interested parties” and stakeholders as well as how they are relevant to the information. You will need to identify requirements for interested parties which could include legal, regulatory and/or contractual obligations. You’ll also need to consider important topics such as any market assurance and governance goals. You will be required to decide on the scope of your ISMS, which needs to link with the strategic direction of your organization, core objectives and the requirements of interested parties. Finally, you’ll need to show how you establish, implement, maintain and continually improve the ISMS in relation to the standard.

Clause 5: Leadership This clause is all about the role of “top management,” which is the group of people who direct and control your organization at the highest level. They will need to demonstrate leadership and commitment by leading from the top. Top management need to establish the ISMS and information security policy, ensuring it is compatible with the strategic direction of the organization. They also need to make sure that these are made available, communicated, maintained and understood by all parties. Top management must ensure that the ISMS is continually improved and that direction and support are given. They can assign ISMS relevant responsibilities and authorities, but ultimately they remain accountable for it.

Clause 6: Planning This clause outlines how an organization plans actions to address risks and opportunities to information. It focuses on how an organization deals with information security risk and needs to be proportionate to the potential impact they have. ISO 31000, the international standard for risk management, contains valuable guidance. Organizations are also required to produce a “Statement of Applicability” (SoA). The SoA provides a summary of the decisions an organization has taken regarding risk treatment, the control objectives and controls you have included, and those you have excluded and why you have decided to include and exclude the controls in the SOA. Another key area of this clause is the need to establish information security objectives and the standard defines the properties that information security objectives must have.

Clause 7: Support This section of ISO/IEC 27001 is all about getting the right resources, the right people and the right infrastructure in place to establish, implement, maintain and continually improve the ISMS. It deals with requirements for competence, awareness and communications to support the ISMS and it could include making training and personnel available, for example. This clause also requires all personnel working under an organization’s control to be aware of the information security policy, how they contribute to its effectiveness and the implications of not conforming. The organization also needs to ensure that internal and external communications relevant to information security and the ISMS are appropriately communicated. This includes identifying what needs to be communicated to whom, when and how this is delivered. It’s in this clause that the term “documented information” is referenced. Organizations need to determine the level of documented information that’s necessary to control the ISMS. There is also an emphasis on controlling access to documented information, which reflects the importance of information security.

Clause 8: Operation This clause is all about the execution of the plans and processes that are the subject of previous clauses. It deals with the execution of the actions determined and the achievement of the information security objectives. In recognition of the increased use of outsourced functions in today’s business world, these processes also need to be identified and controlled. Any changes, whether planned or unintended need to be considered here and the consequences of these on the ISMS. It also deals with the performance of information security risk assessments at planned intervals, and the need for documented information to be retained to record the results of these. Finally, there is a section that deals with the implementation of the risk treatment plan, and again, the need for the results of these to be retained in documented information.

Clause 9: Performance evaluation. This clause is all about monitoring, measuring, analyzing and evaluating your ISMS to ensure that it’s effective and remains so. This clause helps organizations to continually assess how they are performing in relation to the objectives of the standard to continually improve. You will need to consider what information you need to evaluate the information security effectiveness, the methods employed and when it should be analyzed and reported. Internal audits will need to be carried out as well as management reviews. Both of these must be performed at planned intervals and the findings will need to be retained as documented information. It should be noted that management reviews are also an opportunity to identify areas for improvement.

Clause 10: Improvement This part of the standard is concerned with corrective action requirements. You will need to show how you react to nonconformities, take action, correct them and deal with the consequences. You’ll also need to show whether any similar nonconformities exist or could potentially occur and show how you will eliminate the causes of them so they do not occur elsewhere. There is also a requirement to show continual improvement of the ISMS, including demonstrating the suitability and adequacy of it and how effective it is. However how you do this is up to you. ISO/IEC 27001 also includes Annex A which outlines 114 controls to help protect information in a variety of areas across the organization. ISO/IEC 27002 also provides best practice guidance and acts as a valuable reference for choosing, as well as excluding, which controls are best suited for your organization.

It’s never been more important to protect the information in your organization. Cyber-attacks have become more prevalent and sophisticated, supply chains are more complex, and the volume of important information handled by organizations continues to increase. If you don’t make sure your information is secure you could risk financial penalties or fines. You just can’t afford not to have a system in place to protect the information in your business. ISO/IEC 27001 helps you manage information so it remains safe and secure so you can build a responsive and resilient business.

Bringing information security into the heart of your business

It raises the Importance of information security in your organization and ensures it supports your business strategy and objectives. It’s really a business management tool which helps you understand what information you have, where it is, and most importantly, how you protect it. It’s the most effective way of managing your information and can save you from costly fines and losses.

Helps you win more business and protects your reputation

ISO/IEC 27001 clearly demonstrates that you take information security seriously. It helps reassure customers and suppliers that you have identified risks and have best practice in place to control and minimize these. It helps to differentiate your organization, satisfy tender or supply chain requirements and expand into new markets. And it protects you from the adverse publicity that comes with security breaches.

Led from the top – one organization working together

ISO/IEC 27001 requires commitment and involvement from your leadership team. Top management are responsible for the system’s effectiveness and for making sure the whole organization understands how they contribute to the Information Security Management System, (ISMS). Recent trends show that people are as likely to cause a data breach as viruses and other types of malicious software. Creating a culture whereby the importance of information security is promoted and embraced avoids confusion and provides clarity.

Helps you identify risks and improve

You’ll need to identify and manage risks relevant to your ISMS and continually evaluate its effectiveness. This is particularly important when technology is constantly changing and new threats can arise suddenly. You will need to evaluate the effectiveness of the controls you put in place to manage risk and make sure they are proportionate to the potential impact on your business. This will help to keep your organization resilient and optimize the performance of your ISMS.

Why AQS?

AQS is the sole organization in Azerbaijan certified on ISO 10019:2007 “Guidelines for the selection of quality management system consultants and use of their services”. We have the best knowledge of ISO 27001 as consulting partnership of BSI which has been at the forefront of ISO/IEC 27001 since the start. Originally based on BS 7799 and developed in 1995, BSI been involved in its development and the ISO technical committee ever since. That’s why we’re best placed to help you understand the standard. At BSI we create excellence by driving the success of our clients through standards. We help organizations to embed resilience, helping them to grow sustainably, adapt to change, and prosper for the long term. We make quality services = quality life.