I. Understanding ISO 27001 certification and its core value
The ISO27001 certificate is the so-called information security management system. This regulation established by the ISO organization has become a guiding principle for everyone in today's information-rich society.
The provisions of ISO27001 can let corporate organizations know how to ensure information security and formulate relevant policies. Through guidance, companies will know to establish relevant management procedures. When a company meets the requirements of all ISO27001 clauses, it has reached the ISO27001 certification standard. At this time, the verification unit (third-party organization) will check the compliance of these clauses, review whether the organizational structure is complete, etc. When it meets every criterion in the clause, it can obtain the ISO27001 certificate.
Many countries have also responded to this structure in line with national policies, through promotion or strict regulations, corporate organizations must obtain ISO27001 certification.
II. Before obtaining ISO27001 certification, understand the core principles of an information security management system.
ISO27001 information security is also considered an asset for organizations. Although it is intangible, it needs to be properly protected like other valuable assets that may have an impact on the operation of the organization. This is because information can exist in many forms, such as:
- Information: including databases, data files, contracts, agreements, etc.
- Software assets: Covering application software, systems, development tools, libraries, etc.
- Hardware assets: including computer equipment, communication equipment, removable media, etc.
- Services: involving computers, communication services, general shared resources, etc.
- People: Includes personnel with professional qualifications, skills and experience.
- Intangible assets: such as goodwill and image.
Therefore, an information security management system is established around these forms of asset-related security and needs to be effectively planned, operated, led and controlled.
Simply put, the information security management objectives of the ISO27001 certification are mainly to protect three important aspects of information:
- Confidentiality: Preventing information leakage.
- Integrity: Preventing information from being tampered with.
- Availability: Ensuring that information is available when it is needed.
These principles make up the so-called CIA trinity, which plays an important and central role in information security management. At the same time, information security also needs to comply with relevant laws and regulations, especially for public agencies.
In order to achieve these goals, organizations need to establish an ISO27001 information security management system. This system covers a series of steps from establishment, implementation, operation, monitoring, review, maintenance to continuous improvement. The goal is to ensure that the organization is able to adapt to different information security risks, while also providing a basis for the organization's overall governance work.
3. Management cycle and structure of ISO27001
The chapters of ISO27001 follow a high-level management framework, similar to PDCA (Plan, Do, Check, Action)
A circular structure; this cycle is like a repetitive loop that will continuously circulate and improve in the information security management system. ISO27001 discusses internal and external stakeholders and issues from Chapter 4 and Chapter 5 to risk management in Chapter 6, personnel training and document management in Chapter 7, and internal audit, management review and improvement in Chapters 8, 9 and 10.
This cycle is like an iterative process, with each step interrelated to ensure the continuity and continuous improvement of information security.
IV. Internal and external issues and risk management
The fourth chapter of ISO27001:2013 discusses the organizational operating environment, and the "internal and external issues" therein are worth further discussion.
- Identification and analysis of internal and external issues:
Internal issues refer to people and things within the organization, while external issues refer to the needs, expectations or matters that need to be discussed by people or things outside the organization. The simplest examples might be shareholders wanting to make money, employees wanting to learn, and so on. - Handling and responding to internal and external issues:
Internal and external issues need to be listed and decisions made based on their impact and risk level. Addressing these issues is one of the requirements of ISO 27001. Especially for issues with higher risks, response plans need to be considered and implemented in the information security management system. Internal and external issues reflect the environment in which the organization operates. Only by understanding these can we formulate strategic policies that are suitable for the company's operations. - Risk management review and processing:
After filtering internal and external issues, some issues may become threats in risk management. In this context, these topics need to be reviewed and examined regularly.
At the same time, a document containing a list of stakeholders and their needs needs to be established, including clear and specific requirements of laws and regulations, and implemented in the information security management system. - Determine the scope of the information security management system:
Internal and external issues, stakeholder requirements, and products and services are used to determine the scope of the information security management system. - Risk analysis and system documentation establishment:
Create a risk analysis form to identify risks by analyzing internal and external issues; and create system documents with four levels (or three levels) and keep records of execution forms. - Establishment of Information Security Management Policy:
Finally, we need to establish an information security management policy. This policy is like a top-level guideline, which includes the establishment of ISMS-related rules, related management processes, risk assessment operations, setting information security goals, implementing the control measures selected in the risk treatment plan, and audit and management review specifications.
One-stop solution provider