The Noggin Blog

What Should Security Teams Know About ISO 27001

Posted by The Brain on Oct 27, 2020 2:24:49 PM

What’s the value of international standards in the age of COVID-19? Well, in the case of information management system standard, ISO/IEC 27001, the standard prescribes baselines for securing information assets. If you haven’t noticed, those information assets are increasingly under threat with the sharp rise of cyber attacks.

So, what should Security teams know about the best-practice standard?

MKT-483 - Security Newsletter Graphic - 28 October 2020-01

 

First, a little background: the ISO 27000 series is a family of information security management standards, focused on Information Systems Management (ISM). Originally dubbed BS7799, ISO 27001 was eventually included in the set of ISO standards when the organisation began adding ISMS standards.

What does ISO 27001 define precisely? The standard lays out methods and practices of implementing information security in organisations. It provides flexible guidelines – targeted at companies in all sectors and of all sizes – for how those methods and practices should be implemented. The standard also seeks to enable secure, reliable communications of security risk, which is often missing at the organisational level.

Included in the standard are the requirements that an ISMS must fulfill in order to achieve certification. Those specifications are broad, however. Specific requirements are not given in this generic standard as it is applicable to all businesses in all sectors. As is the case with ISO standards in general, requirements are left to individual companies to develop and implement. ISO 27002, in particular, provides supplementary guidelines.

What ISO 27001 outlines, instead, is the broad requirement for planning, implementation, operation, and continuous monitoring and improving of a process-oriented ISMS. It calls on organisations to identify and assess risks, as well as define control objectives.

What else: the standard also identifies the necessity of adequate training as a prerequisite for implementing then communicating security procedure – as an aside, we’ve learned in this pandemic moment that the lack of training of newly remote workers has providing a soft underbelly to opportunistic hackers. That procedure must then be continuously monitored, checked on, and improved upon, so as to ensure the effectiveness and efficiency of the ISMS.

The standard also tasks senior management – not just top executives but business line owners – with control of the end-to-end certification and implementation process, including the determination of a security policy, definition of roles and responsibilities, recruitment and preparation of necessary personnel and material resources, as well as decisions on risk management. 

There’s another element of ISO 27001 well worth mentioning. And that’s physical security operations. In the era of social distancing and new safety guidelines, physical security itself is changing. But it’s often forgotten that even in socially-distanced facilities, information assets exist in physical space, leaving them highly vulnerable to compromise. That is even with the most robust cyber security measures in place.

So, what does ISO 27001 say about physical security? The standard instructs complying organisations to look at the risks relating to physical access of their information assets. Firms must then put in controls, where appropriate, to manage (limit or simply control) physical access to those assets.

Of course, that only scratches the surface of what the best-practice standard has to say. If you’re keen to learn more, download our guide to ISO 27001.

Download the Guide


For more news and updates, follow Noggin on Twitter and LinkedIn.

Topics: Security Management, Security Newsletter


Meet Noggin: all-hazards enterprise resilience software.

Thanks for stopping by!

The Noggin software suite provides flexible information management solutions capable of managing all hazards across a wide range of industries, from the smallest complaint to a multi-national emergency. We help organizations handle all hazards, all media, all devices, all processes - in one suite of software products. Organizations across the world rely on Noggin to help them manage disruptive events more effectively and protect the bottom line for their communities and businesses.

Want to learn more? Get in touch:

 

Subscribe to Email Updates

Recent Posts