I. Understanding ISO 27001 certification and its core value
The ISO27001 certificate is the so-called information security management system. This provision established by the ISO organization is like a standard that everyone follows in today's information-driven society.
The provisions of ISO27001 allow enterprise organizations to know how to ensure information security and formulate relevant policies. Through the guidance, enterprises will know to establish relevant management procedures. When an enterprise meets the requirements of all ISO27001 provisions, it has reached the ISO27001 certification standard. At this time, the verification unit (third-party agency) will check the compliance of these provisions, review whether the organizational structure is complete, etc. When each criterion in the provisions is met, the ISO27001 certificate can be obtained.
Many countries have also responded to this structure to cooperate with national policies, through publicity or strict regulations that enterprise organizations must obtain ISO27001 certificates.
II. Before obtaining ISO27001 certification, understand the core principles of an information security management system.
ISO27001 information security is also regarded as an asset to the organization. Although it is intangible, it needs to be properly protected like any other valuable asset that may have an impact on the organization's operations. This is because information can exist in many forms, such as:
- Information: including databases, data files, contracts, agreements, etc.
- Software assets: Covers application software, systems, development tools, function libraries, etc.
- Hardware assets: including computer equipment, communication equipment, removable media, etc.
- Services: Involving computers, communication services, general shared resources, etc.
- People: Includes people with professional qualifications, skills and experience.
- Intangible assets: such as goodwill and image.
Therefore, establishing information security management systems around these forms of asset-related security needs to be effectively planned, operated, led and controlled.
Simply put, the goal of information security management obtained by ISO27001 certificate is mainly to protect three important aspects of information:
- Confidentiality: Prevent information from leaking.
- Integrity: Prevent information from being tampered with.
- Availability: Ensuring that information is always available when needed.
These principles form the so-called CIA triad, and they play an important central role in information security management. At the same time, information security also requires compliance with relevant regulations, especially for public agencies.
In order to achieve these goals, organizations need to establish an ISO27001 information security management system. This system covers a series of steps from establishment, implementation, operation, monitoring, review, maintenance to continuous improvement. The goal is to ensure that the organization can adapt to different information security risks, while also providing a basis for the organization's overall governance efforts.
3. Management cycle and structure of ISO27001
The chapters of ISO27001 follow the high-level management structure, also like PDCA (Plan, Do, Check, Action)
A cycle-like structure; this cycle is like a repeated cycle, which will continue to circulate and improve in the information security management system. ISO27001 discusses internal and external relationships and issues from Chapters 4 and 5, to risk management and control in Chapter 6, personnel training and document management in Chapter 7, and internal audit, management review and improvement in Chapters 8, 9, and 10.
This cycle is like an iterative process, and each step is interrelated to ensure the continuous and continuous improvement of information security.
4. Internal and external issues and risk management
The fourth chapter of ISO27001:2013 talks about the organizational operating environment, and the "internal and external issues" are worthy of in-depth discussion.
- Identification and analysis of internal and external issues:
Internal issues refer to people and things inside the organization, while external issues refer to the needs, expectations, or matters that need to be discussed about people or things outside the organization. The simplest example may be that shareholders want to make money, employees want to learn, etc. - Handling and response to internal and external issues:
Internal and external issues need to be listed and decisions made based on their impact and level of risk. The treatment of these topics is one of the requirements of ISO 27001. Especially for issues with higher risks, response plans need to be considered and implemented in the information security management system. Internal and external issues reflect the environmental status of the organization. Only by understanding these can we formulate strategies and policies suitable for the company's operations. - Review and treatment of risk management:
After filtering out internal and external issues, some issues may become threats in risk management. In this case, these topics need to be reviewed and reviewed regularly.
At the same time, a document containing a list of stakeholders and their needs, including clear and specific requirements from laws and regulations, needs to be established and implemented in the information security management system. - Determine the scope of the information security management system:
Internal and external issues, stakeholder requirements, and products and services determine the scope of the information security management system. - Risk analysis and establishment of system documentation:
Create a risk analysis table to determine risks by analyzing internal and external issues; and create system documents with four levels (or three levels), and keep records of the execution of the form. - Establishment of information security management policy:
Finally, we need to establish an information security management policy. This policy is like a top guideline, which includes the establishment of ISMS-related rules, related management processes, risk assessment operations, setting information security objectives, implementing control measures selected in the risk treatment plan, and auditing and management review specifications.
One-stop solution provider