ISMS—Planning for ISO
ISO/IEC
27001 has detail 133 security measures, which are then organized into 11
sections and 39 control objectives. These sections specify the best practices
for:
•
Business continuity planning
•
System access control
•
System acquisition, development and maintenance
•
Physical and environmental security
•
Compliance
•
Information security incident management
•
Personnel security
•
Security organization
•
Communications and operation management
•
Asset classification and control
•
Security policies
The
ISMS may be certified as compliant with ISO/IEC 27001 by a number of accredited
registrars worldwide. Also the ISO/IEC 27001 certification, similar to other
ISO management system certifications, that usually involves a three-stage audit
process:
• Stage
1—The Informal review of the ISMS that includes checking the existence and
completeness of key documents such as the: – Organization’s security policy and
the Risk treatment plan (RTP) and
Statement of applicability (SOA)
• Stage
2—Independent tests of the ISMS against the requirements specified in
ISO/IEC 27001. The certification audits are conducted by ISO/IEC 27001 lead
auditors.
• Stage
3—Follow-up reviews or periodic audits to confirm that the organization
(eg. Software application development companies)
remains in compliance with the given standard. And the certification
maintenance requires periodic reassessment audits to confirm that the ISMS
continue to operate as specified and intended. Independent assessment
necessarily brings some rigor and formality to the implementation process, and
it also must be approved by management. The ISO/IEC 27001 certification helps
to assure most business partners of the organization’s status regarding
information security without the business partners having to conduct their own
security reviews.
Planning
As
in all compliance and the certification initiatives, and the consideration of
the organization’s size, nature of its business, and the maturity of the
process in implementing ISO 27001 and commitment of senior management are
essential. Most important departments and activities that will be vital to the
success
of the project include:
• Internal
audit—In the initial planning phase, the input from internal audit will be
useful in developing an implementation strategy, and early involvement of
internal auditors will be useful during the later stages of certification that
require review by management.
• IT—The
IT department will have to dedicate resources and time to the activities
associated with the ISO 27001 initiatives. The inventory of existing IT
compliance initiatives, the procedures and the policies, and maturity of
existing IT processes and controls will be useful to gain an understanding of
how the existing processes align with ISO 27001 requirements.
Although
implementation of policies and procedures at software companies is largely perceived as an IT activity, the
other departments play a very important role in the implementation. For e.g.,
facilities management is largely responsible for physical security and access
controls.
Decision
Making
The
decision of when and how to implement the standard may be influenced by a
number of factors such as:
•
Business
objectives and priorities
•
Existing IT
maturity levels
•
User
acceptability and awareness
•
Internal
audit capability
•
Contractual
obligations
•
Customer
requirements
•
The firm’s
ability to adapt to change
•
Adherence to
internal processes
•
The existing
compliance efforts and legal requirements
•
Existing
training programs
Author Signature: Shreyans Agrawal
(ifour.shreyans.agrawal@gmail.com)
No comments:
Post a Comment