ISO/IEC 27001:2013 (ISO 27001)
ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for an ISMS (information security management system). Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and provides an independent, expert verification that information security is managed in line with international best practice and business objectives. ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013.
What is ISO 27001?
ISO 27001 is a structured set of guidelines and specifications for assisting organizations in developing their own information security framework. The standard relates to all information assets in an organization regardless of the media on which it is stored, or where it is located. The standard assists organizations in developing their own information security framework.
ISO 27001 has 11 domain areas, 39 control objectives and 133 controls in all. The security controls represent information security best practices and the standard suggests that these controls should be applied depending on the business requirements.
ISO 27001 suggests development and implementation of a structured Information Security Management System (ISMS), which governs the security implementation and monitoring in an enterprise. The standard is designed to serve as a single 'reference point for identifying the range of controls needed for most situations where information systems are used'.
Benefits of ISO 27001 Implementation
Some of the benefits of implementing the ISO 27001 standard are as follows:
- Brings your organization to compliance with legal, regulatory, and statutory requirements.
- Market differentiation due to positive influence on company prestige.
- Increases vendor status of your organization.
- Increase in overall organizational efficiency and operational performance.
- Minimizes internal and external risks to business continuity.
- ISO 27001 certification is recognized on a worldwide basis.
- Significantly limits security and privacy breaches.
- Provides a process for Information Security and Corporate Governance.
- Reduces operational risk while threats are assed and vulnerabilities are mitigated.
- Provides your organization with continuous protection that allows for a flexible, effective, and defensible approach to security and privacy.
We adopts a six-step consulting methodology to manage the ISO 27001 implementation.
Step I: Understanding Business Functions
The purpose of this phase is to provide the initial planning and preparation for the assignment. The steps in this phase help re-emphasize the project objectives and goals and plan the various focus / target areas to be considered during the assignment.
Step II: Data Acquisition
The purpose of this phase is to collect all relevant data pertaining to the scoped area. This is probably the most crucial phase, since it involves meeting the stakeholders and understanding their concerns, as well as assets under their responsibility and the importance of these assets to their business function.
Step III: Risk Assessment
Performing a comprehensive Risk Assessment on the identified critical IT assets would enable to select appropriate risk mitigation controls. Aristi's Risk assessment methodology is a multi-fold activity comprising assigning values to the identified critical information assets, threat assessment, Vulnerability Assessment & Penetration Testing exercise and Gap Analysis.
Step IV: Prioritize
The purpose of this stage is to develop a risk mitigation strategy and plan to provide inputs to the selection of ISO 27001 compliant controls. The inputs from this stage will drive the development of the IT policy.
Step V: Design & Build
The purpose of this stage is to develop detailed and functional IT security policies and procedures for the client. The policy statements will be in line with ISO 27001 and will address the risk areas identified earlier (as per the risk mitigation and treatment plans).
Step VI: Action Plan
The main purpose of this stage is to provide the client with a Security Improvement Program which would help the client to have a continuous improvement as well as to get ISO 27001 certification. The objective of this phase is to implement the security controls.