ISO 27K – Security Standard for everyone to know

ISO 27001:2013; standard which is of real importance to someone who is looking for career in Information Security World

ISO 27001:2013-Information Security Management Systems

Organization seriousness towards information security is clearly signified by its approach towards ISMS and leadership commitment

For new learners, Information Security Management System clearly talks about Establishing,Implementing, maintaining & continually improving its information security management systems

“This means SATISFYING all requirements in accordance with this International Standard”

To Implement ISMS, read clauses 4 to 10 and requirements to implement

From clauses 4 to 10, there are requirements which this standard needs to follow & implemented. Apart from that, there

are Annex A5-A18 which are called controls used in context with clause 6.1.3

Aforementioned clauses from 4 to 10 an organization needs to claim conformity to this international standard

• Clause 4 Context of the organization
• Clause 5 Leadership
• Clause 6 Planning
• Clause 7 Support
• Clause 8 Operations
• Clause 9 Performance Evaluation
• Clause 10 Improvement

Why we need to have ISO 27001:2013 certification for Companies to get certified? What are the BENEFITS?

Benefits to companies:

1. winning new clients and new businesses within same client

2. By this certification, a structured approach significance can be seen among clients

3. It means complying to international standards, which is easily reliable among future clients or prospect clients

4. Avoid answering endless questions related to processes and security

5. Multiple legal requirements complexity is reduced

Career options for individuals from ISO 27001:2013 certifications?

1. Individuals interested to have career in this area first needs to get certified either as Lead Auditor, Implementer to get hands on experience with this international standard
2. There are several inputs in this standard which can pave way for information security career itself
3. There are various certification bodies which can train & certify individual on this international standard
4. There are several other career options which open up post this certification
5. A beginner guide to understand this standard would be like from clauses to controls ( follow and read through this blog complete)

Layman guide to understanding ISO 27001:2013?

• Before laying hands on this standard, please understand as this is an international standard and it encompasses most industry requirements related to Information Security. It means that it is quite possible that one may find certain terms which are quite new to their knowledge and are applicable to other industries
• There are 114 controls which are listed post clauses are mentioned in standard itself. So someone who has picked up this standard a new would find hard to make correlation between Annex A and clauses
• Before understanding or relating to any thing in your industry, please go through clauses from 4 – Context of the Organization to 10- Improvement; though there are details mentioned in few lines in every clauses ( 10.1- Non Conformity and corrective action & 10.2 – Continual Improvement) but are applicable and hold quite deep meaning while implementing them in any industry
• There are certain words which needs to be understood before any one tries to implement or understands this- Scope, Context, Documented Information, Information security management systems- ISMS, Risk, Opportunities, Management Responsibility,Risk Assessment, SOA- Statement of Applicability, Information Security Objectives, Information Security Policy, Creating & Updating, Management review, Internal Audit, process approach, continuous & continual improvement, NC- non conformity, observations & documented evidence
•  It is better advised to study Risk 31000:2018 before you study and learn this standard
• Every clause from 4 to 10 mentions certain requirements, and Annex A from A.5 – Information security Policy to A.18 Compliance also details out certain important controls to follow and implement
• Lets take Clause 7 for better understanding for new comers: Clause 7 is Support which has sub clauses 7.1 – Resources, 7.2 Competence, 7.3 – Awareness, 7.4 – Communication & 7.5 – Documented Information. All these sub clauses aptly details out certain requirements, For example:- 7.1 which says that organization shall determine and provide the resources needed for the establishment,implementation, maintenance and continual improvement of the ISMS. So while developing ISMS for their own company, they have to follow details as mentioned above appropriately
• Now lets take example of Annex A, all these are to be used in context with clause 6.1.3 i.e.information security risk treatment. To better understand this, know that Risk Assessment is one of the major activity which needs to be done for this standard in where all these Annex A from 5 to 18 to be used
• Annex A from 5 to 18 have control objectives and controls  which are total of 114 in number; there would be possibility in where some controls are not applicable in some industry which are to be clearly mentioned in SOA – Statement of Applicability
• Note that training for this standard takes not less than 4 -5 days generally in where all clauses and controls are explained industry related in discussion sessions; it is quite hard to explain all details or give same understanding while in this form
• General Observation:  Someone who is completely new to this standard in context of technical or practical know how would find hard to correlate while reading this text and following this standard; note that as mentioned earlier, it is an international standard and details out requirements across industries ( clauses or controls) 
  

  ---

• In this standard, one has to read carefully the requirements, For example: If you take Clause 7.5.2 i.e. Creating and Updating – it clearly talks about as how to go about creating and updating any documents which would be used by any organization for their compliance to this standard. Note: This clause would be referenced couple of times in standard as requirement. It basically talks about Identification and description, format and who would review the approve the documents ( how beautiful requirements it is) In here it is referencing about word’ suitability & adequacy – which means when in need if you have to reference any document, it has to be suitable and adequate enough – now it again adds as review and approval which means there would be someone suitable enough to review and approve document

• Another beautiful annex A example is A 12.7 i.e. Information Systems Audit Considerations- It is to note that standard clearly says that when activities involving audit should be planned in such a way which should ideally minimize disruptions to business processes. It means audit activities should be agreed & planned in such way so that audit have minimal impact on operational activities i.e. time slot planned with respective stakeholders, customizing audit time as per agreed timeline with both parties

Information Security Management Systems- Requirements

Scope for the ISMS implementation plays an important role, please read more about it

 

Important details about ISO 27001:2013

• SOA  – Statement of Applicability
• Risk Assessment
• Internal Audit
• MRM – Management Review Meeting

SOA– Statement of Applicability

SOA is a useful document which outlines organization’s status on all 114 security controls. For all new learners, note that this is an very important or key stone in organizations ISMS – information security management systems

To understand, it is basically which outlines what all controls applicable in current organizations with respect to Scope for ISO 27001:2013 implementation

RA- Risk Assessment

This assessment allows organisation to identify, analyze, measure and take effective control measures to counter weak, strong or moderate failures. Also, assessing them in specific interval to reduce impact on organizations information security management systems

 

 

Internal Audit

Internal Audit is assess the “effectiveness of ISMS- Information Systems Management Systems & overall performance

it yields following results: compliance to requirements of international, industry and regulations; it is a check mechanism to know the status or health of effectiveness of ISMS. As per Clause 9.2, which is Internal Audit, organization has to decide the frequency of internal audit and comply to that requirements

 

Management Review Meeting

It is an essential part of ISMS implementation phase where this is done Internal Audit (9.2). MRM- management review meeting(9.3) in where findings of Internal audit is discussed with management and further plan of action is discussed and implemented

 

 

 

Before understanding this standard, please study Risk 31000:2018 i.e. Risk Management guidelines

It is very well recommended to follow details mentioned in the blog to have career started in Cyber security. The basis of Risk management would start from understanding ISO 27001:2013 & Risk 31000:2018