Managing information security

30 August 2022

David Goodfellow offers advice on implementing, and obtaining certification for, an information security management system according to the requirements of ISO/IEC 27001.

ISO/IEC 27001 is the leading international standard for information security management and it provides a practical framework for an effective information security management system (ISMS). It simplifies compliance with applicable security regulations and requirements, and helps organisations foster an organisation-wide security culture, helping to reduce overall information security risks. 

An ISO/IEC 27001-certified ISMS can also help an organisation meet the legal and regulatory requirements applicable in many countries, as well as customers’ contractual requirements. Rather than being seen as a cost to the organisation, ISO/IEC certification can actually lower the total costs of IT security by reducing the risk of security breaches and the costly consequences associated with data breaches. It also demonstrates a strong commitment to the security of confidential information and can deliver a significant marketplace advantage. Furthermore, an increasing number of companies only work with suppliers that have implemented an ISO/IEC 27001 certified ISMS. 

Implementing an ISMS according to the requirements of ISO/IEC 27001, and obtaining certification includes a number of steps – not all ISMS implementation efforts are identical, but the following steps apply to most organisations, regardless of their industry or level of preparedness:

Obtain management commitment: The successful implementation of any management system, including an ISMS, requires a commitment from leadership at the highest level of the organisation. Without this other business priorities will inevitably erode implementation efforts.

Define the information security policy: At this stage, the organisation identifies and defines its information security policy based on the specific goals and objectives that it hopes to achieve. This policy will serve as a framework for future development efforts by establishing a direction and set of principles regarding information security.

Define the scope of the ISMS: With its information security policy in place, the organisation must then identify the specific aspects of information systems security that can be effectively addressed within the scope of its ISMS.

Complete a risk assessment of current information security practices: Applying the most appropriate methodology, the organisation should then conduct a thorough risk assessment to identify the risks that are currently being addressed, as well as system vulnerabilities and threats that require attention.

Identify and implement risk measures and controls: Here, the organisation implements measures and practices to mitigate all of the risks identified in the risk assessment. The results of these measures and practices should then be monitored and modified as required to improve their effectiveness.

ISMS audit: With a tested and proven ISMS in place, the organisation should conduct a certification assessment pre-audit to identify any potential issues that could negatively impact the outcome of the certification audit. Any nonconformities with the requirements of ISO/lEC 27001 can then be addressed and/or corrected.

Conduct surveillance audit: Finally, an independent certification body should be employed to conduct a formal audit of the organisation’s ISMS for compliance with ISO/lEC 27001. A successful audit results in a recommendation for certification, which is then issued by the certification body. Organisations that achieve ISO/lEC 27001 certification are subject to yearly surveillance audits to confirm continued compliance with the requirements of the standard. A full recertification audit is required every third year following certification.

An ISMS is a vital element in the effort to control or mitigate the risk associated with cyberattacks against digitised data. Not only does ISO/IEC 27001 give organisations confidence that information is protected, it also proves they have identified the risks, assessed the consequences and put in place effective controls that will minimise any damage from cyberattack. Finally, ISO/IEC 27001 is compatible with other management systems standards, easing the auditing process for organisations certified to multiple management systems standards.

David Goodfellow is divisional director business assurance at TÜV SÜD.

Contact Details and Archive...

Print this page | E-mail this page