Information Security and ISO27001

Whether we are talking about a bank, a telecommunication company, a government office or even a small shop, information is the most important asset organizations have. Yet very few organizations approach information security the right way and thus continuously expose themselves to unacceptable risks.

Most organizations associate information security to specific products, solutions or technologies, as if the acquisition of hardware and software could magically take care of all the security risks the organization is exposed to. However, real information security is achieved through well documented and managed security processes, involving competent members of staff with clear roles and responsibilities and through the appropriate use of a wide range of security controls.

For instance, it make no sense having a network firewall if there is not a clear documented change management process to control its configuration, no regular review of the firewall logs and firewall rules, not a competent firewall administrator, no backup of firewall configuration, no firewall testing etc.

About ISO27001

When it comes to achieving information security, the only standard which can really help organization today is ISO27001. Originally introduced in 2005, based on the British standard BS7799-2, ISO27001 underwent a new revision just over a year ago in 2013 and that is the version currently in use.

ISO27001 helps an organization by clearly defining the set of processes, responsibilities and controls required for the management of information security risk and the achievement of the organization's information security objectives. Such set of processes, responsibilities and security controls is also called an Information Security Management System (ISMS). With regards to the security controls, ISO27001 identifies a list of 114 best practice security controls, which can be considered by an organization to mitigate information security risks. None of these 114 controls is mandatory and, in ISO27001, they are in fact placed in an appendix called Annex A. However, since they are best practice it is very unlikely for any organization to justify the exclusion of more than a handful of them (usually one or two at most). From 10,000 feet, ISO27001 requirements may read as follows:


Key Facts about ISO27001

It is important to highlight some of the key facts about ISO27001 most organizations are unaware of. Being aware of such facts can help organizations save a lot of time and, most important, can fast track the improvement of an organization's security posture.

ISO27001 Series Quick Reference

While ISO27001 is the ONLY standard organizations have to comply with, it is good to bear in the mind the following other key standards and how they relate to ISO27001.