ISO (the
International Organization for Standardization) and IEC (the International
Electro technical Commission) form the specialized system for worldwide
standardization. National bodies that are members of ISO or IEC participate in
the development of International Standards through technical committees
established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of
mutual interest. Other international organizations, governmental and
non-governmental, in liaison with ISO and IEC, also take part in the work. In
the field of information technology, ISO and IEC have established a joint
technical committee, ISO/IEC JTC 1. ISO has equal importance to all software development companies in India and globe.
ISO/IEC
27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, IT Security techniques.
ISO/IEC
27001 formally specifies an Information Security Management System (ISMS), a
suite of activities concerning the management of information security
risks. The ISMS is an overarching
management framework through which the organization identifies, analyses and
addresses its information security risks.
The ISMS ensures that the security arrangements are fine-tuned to keep
pace with changes to the security threats, vulnerabilities and business impacts
- an important aspect in such a dynamic field, and a key advantage of ISO27k’s
flexible risk-driven approach as compared to, say, PCI-DSS.
The standard
covers all types of organizations that includes software development companies as well (e.g. commercial enterprises, government
agencies, non-profits), all sizes (from micro-businesses to huge
multinationals), and all industries or markets (e.g. retail, banking, defence,
healthcare, education and government).
This is clearly a very wide brief.
History
ISO/IEC 27001 is derived from BS 7799 Part 2, published in
1999. BS 7799 Part 2 was revised by BSI
in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process
concept, and was adopted by ISO/IEC as ISO/IEC 27001 in 2005. It was extensively revised in 2013, bringing
it into line with the other ISO certified management systems standards and
dropping the PDCA concept.
What is ISO 27001
ISO 27001 (formally known as ISO/IEC 27001:2005) is a
specification for an Information Security Management System (ISMS). An ISMS is
a framework of policies and procedures that includes all legal, physical and
technical controls involved in an organization’s information risk management
processes.
According to its documentation, ISO 27001 was developed to
"provide a model for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving an information security management
system."
Benefits of ISO/IEC 27001 Information Security Management
- Identify risks and put controls in place to manage or reduce them
- Flexibility to adapt controls to all or selected areas of your business
- Gain stakeholder and customer trust that their data is protected
- Demonstrate compliance and gain status as preferred supplier
- Meet more tender expectations by demonstrating compliance
ISO 27001 uses a top down, risk-based approach and is
technology-neutral. The specification defines a six-part planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
The specification includes details for documentation,
management responsibility, internal audits, continual improvement, and
corrective and preventive action. The standard requires cooperation among all
sections of an organization.
The 27001 standard does not mandate specific information
security controls, but it provides a check-list of controls that should be
considered in the accompanying code of practice, ISO/IEC 27002:2005. This
second standard describes a comprehensive set of information security control
objectives and a set of generally accepted good practice security controls.
- ISO 27002 contains 12 main sections:
- Risk assessment
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
- Compliance
Organizations including software development companies are required to apply these controls
appropriately in line with their specific risks. Third-party accredited
certification is recommended for ISO 27001 conformance.
No comments:
Post a Comment