ISO/IEC 27001 and 17799:2000 IT – Information Security management systems – Requirements & Code of practice for information security management
Information is an asset that must be protected. Electronic information is at greater risk to threats and vulnerabilities than it ever has been when its form was contained in other media. Many systems were designed before the networking complexities made access such a severe threat to security. Fraud, espionage, sabotage, and vandalism can all be perpetrated on an organization’s information without being immediately detectable unless sound measures prevent such occurrences.
Information security is an umbrella process that proactively protects information from a wide range of threats as a means of ensuring business continuity, minimizing business risk, and maximizing return on investments and revenue opportunities. Like other processes, it incorporates a set of controls, such as policies, processes, procedures, organizational structures, software, and hardware, but does so with more rigour than other processes since without such rigour, risks would be unmanageable.
Since security is a moving target, it’s never enough to just implement good security practices. The hackers, industrial spies, and cyber criminals have already launched their attacks to penetrate the barriers as soon as they’ve been constructed. And the impacts can be devastating. Lost business, damaged reputation, corrupted data, and lawsuits are headaches organizations would prefer to avoid.The key to understanding how to prevent such losses is to identify and manage risk. To do this, first identify what the information assets are, assign relative values to them, figure out their vulnerabilities and threats, put into practice safeguards to protect them, and then continually monitor and check. Like any other business priority, information security must be supported by management and become an integral part of daily operations.
Information security is all about protecting the CIA! — ensuring that the Confidentiality, Integrity, and Accessibility of information is secure. Confidentiality provides assurance that only those authorized have access to information. Integrity ensures safeguards are in place to protect the accuracy and completeness of the information. Accessibility allows authorized individuals the ability to use the information whenever they need it.
ISO/IEC 27001 provides 133 controls or safeguards and 39 control objectives to help organizations cover the basics. Like other management system standards (e.g. 9001 and 14001), its success is based on the Plan-Do-Check-Act cycle of continuous improvement. Its requirements enable the organization to systematically build a closed-loop system of protection in which incidents are identified, analysed, and corrected, the solutions of which are verified to ensure the best options have been implemented. ISO/IEC 17799 provides guidance on the controls and examples of implementation.
An organization is only as stable as its information is secure. Using a structured and disciplined approach, such as that provided by ISO/IEC 27001, to assure the security of your information makes common sense.