ISO 27001 – INFORMATION SECURITY QUESTIONS AND ANSWERS
Due to inadequate security in information processing, the German economy suffers annual damage in the billions. There are many reasons for this: external disruptions, technical errors, industrial espionage or misuse of information by former employees. However, only those who recognize the challenges can take appropriate measures. A well-structured information security management system (ISMS) according to the internationally recognized standard ISO 27001 is an optimal basis for the effective implementation of a holistic security strategy. What exactly does that mean and what needs to be considered? You can find answers to important questions about ISO 27001 in our blog post.
WHAT IS INFORMATION SECURITY?
The answer to this question is simple in the sense of the international family of standards for information security ISO / IEC 2700x:
“Information is data that is valuable to the company.”
ISO / IEC 27000: 2009: Information technology – IT security procedures – Information security management systems – Overview and terminology
This makes them an economic asset that should not get into the hands of unauthorized persons and require adequate protection.
So information security is all that has to do with protecting the company’s information assets. It is crucial to be aware of the risks in the context of the company or to uncover them and to counter them with appropriate, needs-based measures.
“Information security is not IT security.”
IT security only refers to the security of the technology used and not to the corporate values to be protected. Organizational issues such as access rights, responsibilities or approval procedures as well as psychological aspects also play an important role in information security. However, secure IT also protects information in the company.
WHAT ARE THE PROTECTION GOALS OF INFORMATION SECURITY?
The protection goals for information security include three main aspects:
- Confidentiality – Protection of confidential information against unauthorized access, be it for data protection reasons or due to business secrets that fall under the Business Secret Law. It is the level of confidentiality that is relevant here.
- Integrity – minimizing any risks, ensuring the completeness and reliability of all data and information.
- Availability – Ensuring access and usability for authorized access to information, buildings and systems. It is essential for the maintenance of processes.
CENTRAL QUESTIONS ABOUT INFORMATION SECURITY
- What values does my company have?
- What corporate values need to be protected?
- What attacks are corporate values exposed to?
- Who is interested in protecting this information?
- What are the appropriate measures?
WHAT IS AN INFORMATION SECURITY MANAGEMENT SYSTEM?
An information security management system (ISMS) according to DIN ISO / IEC 27001defines guidelines, rules and methods to ensure the security of sensitive information in a company. It provides a model for the introduction, implementation, monitoring and improvement of the level of protection – according to the systematic approach of theISO 9001known PDCA cycle (Plan-Do-Check-Act). The aim is to identify possible risks for the company, to analyze them and to make them manageable with suitable measures.
WHY IS AN ISMS IMPORTANT?
Successful companies use the structure and transparency of modern management systems to uncover threats and to be able to control the use of modern security systems. At the heart of an information security management system is the security of your own information assets, such as intellectual property, financial and personnel data, as well as information that has been entrusted to you by customers or third parties.
“Information security always means protecting important information or data of value.”
The risks to which the data worth protecting are exposed are manifold. They can arise from material, human and technical security threats. But only a holistic, preventive management system approach of an ISMS can do justice to the entire spectrum of risks and ensure the business continuity of a company.
WHAT ARE THE ADVANTAGES OF AN ISMS?
An important question about ISO 27001! The standard formulates the requirements for the systematic structure and implementation of a process-oriented management system for information security. This holistic approach enables companies to achieve decisive advantages:
- the security of sensitive information becomes an integral part of the company’s processes
- preventive protection of the protection goals confidentiality, availability and integrity of information
- Maintain business continuity by continuously improving the level of security
- Sensitization of employees and a significantly stronger security awareness at all company levels
- Establishing an effective risk management process
- Building trust with interested parties (e.g. in tenders) through demonstrably safe handling of sensitive information
- Compliance with relevant compliance requirements, greater certainty of action and legal certainty
FOR WHICH COMPANY IS ISO 27001 USEFUL?
The answer to the question for which company ISO 27001 makes sense is: for everyone! The standard can basically be applied in all companies, regardless of their type, size and branch. All organizations benefit from the advantages of a structured management system. The implementation of the ISMS is influenced by the following factors:
- the requirements and corporate goals
- the security needs
- the business processes applied
- the company size and structure
HOW CAN POSSIBLE RISKS BE HANDLED?
Security risks can arise from material, human and technical threats. In order to achieve a comprehensible and appropriate level of security in the company, a defined risk management process or a corresponding method for risk assessment, treatment and monitoring is required. ISO / IEC 27005 provides a good guide to information security risk management.
WHAT ROLE DO PEOPLE PLAY?
Humans are also a risk factor: handling sensitive information affects all employees and partners of a company without exception. They also pose an increased security risk, be it due to human error or ignorance. However, only very few companies regulate who can access which information and how to deal with it.
“The new source of power is no longer money in the hands of a few, but information in the hands of many.”
John Naisbitt, * 1929, American Futurologist
Binding regulations and a pronounced awareness of all information security issues are therefore a basic requirement. The key here is to adapt corporate policy or develop a suitable information security policy. The necessary sensitization of employees at all (management) levels is a top priority and can be achieved, for example, through training, workshops or personal discussions.
ISO 27001 – QUESTIONS REGARDING THE INTRODUCTION
The question of whether a company must have already implemented a management system, eg according to ISO 9001, can be answered with a “no”. Like all management system standards, DIN ISO 27001 stands for itself. This means that a company can set up and implement an ISMS at any time and regardless of existing structures. Nevertheless: companies that have Quality management system according to ISO 9001 have already created a good basis for the gradual entry into comprehensive information security.
The structure and approach of ISO 27001 is based on the binding basic structure for all process-oriented management system standards, the High level structure. This enables you to easily integrate an information security management system into an existing management system. There is also a joint certification according to ISO 27001ISO 20000-1 (IT Service Management) or ISO 22301 (Business Continuity Management) possible through DQS.
WHICH DOCUMENTS CAN HELP WITH THE INTRODUCTION?
The preferred basis for the introduction of a holistic management system for information security (ISMS) is the international family of standards ISO / IEC 2700x. It is intended to support companies of all types and sizes in implementing and operating an ISMS. Important components of the standard series are
- ISO / IEC 27000: 2009: Information security management systems – Overview and vocabulary
- DIN ISO / IEC 27001: Information technology – IT security procedures – Information security management systems – Requirements (certification requirements)
- DIN ISO / IEC 27002: Information technology – IT security procedures – Guidelines for information security management
- ISO / IEC 27003: Development and implementation of the ISMS
- ISO / IEC 27004: Information security management – Measurement
- ISO / IEC 27005: Instructions for information security risk management
ISO 27001 – QUESTIONS ABOUT THE IT SECURITY OFFICER?
Does ISO 27001 require an IT security officer? The answer is “Yes”: One of the tasks within the ISMS is to appoint an IT security officer through top management. The IT security officer is the contact for all IT security questions. It should be integrated into the ISMS process and closely linked to IT managers in tasks such as the selection of new IT components and applications.
WHY ISO 27001 CERTIFICATION?
Certification at the Basis of an accredited procedure is proof that a management system and measures have been implemented to systematically protect a company’s information assets. With the certificate, you show “black on white” that you have successfully built this system and committed to its continuous improvement. The globally esteemed DQS certificate is the visible expression of a neutral assessment and strengthens trust in your company. This is a market advantage and offers a good prerequisite for tenders and security-critical customer transactions, such as with financial service providers.
ISO 27001 – QUESTIONS ABOUT THE CERTIFICATION PROCESS
All management systems that are assessed on the basis of international rules (ISO / IEC 17021) by an accredited certifier such as DQS are subject to the same Certification process.
The initial certification consists of the system analysis (stage 1) and the system audit (stage 2), in which the auditors convince themselves of the functionality of the overall system and the implementation of all standard requirements. The certificate is valid for 3 years. In order to remain valid during the term, however, it must be verified annually. In the first and second year after the certificate has been issued, the DQS auditors therefore conduct shortened surveillance audits, in which they consider, for example, the effectiveness of essential system components or corrective and preventive measures. The recertification will then take place after three years.
IS A MATRIX CERTIFICATION POSSIBLE?
Matrix certification is possible for companies with multiple locations. For ISO 27001, the same guidelines apply as for other ISO regulations such asISO 9001 or ISO 14001. An integration of ISO 27001 in existing matrix procedures, ie a joint external audit with the other ISO regulations, can be guaranteed by DQS.
WHAT CAN WE DO FOR YOU?
DQS is one of the leading Management System Certification, Audits, Assessment & Training organization globally. DQS India is the Indian subsidiary of DQS Holding GmbH. Major shareholders of DQS Holding include Underwriters Laboratories (UL) Inc., one of the world’s largest product safety certification body, German Institute for Standardization (DIN), a standard making body, and German Association for Quality (DGQ). DQS is one of the founding member of IQNet, the largest international network of certification bodies that have issued approximately one-third of all management systems certificates in the world.
With a passion for quality, we at DQS, strive for one common goal of partnering companies for business success and organizational health.
FOR MORE INFORMATION CONTACT
Email ID: Sales.Support@dqs-india.in
Ph +91 924 320 3043