Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.
The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.
Explore Noggin's integrated resilience software, purpose-built for any industry.
Security Management Software
Updated August 7, 2023
Best-practice security management standards lay out baseline guidance for securing corporate assets, be those assets digital or physical. The ISO (International Organization for Standardization) 27001 information security (IS) management systems standard, in particular, focuses on securing information assets.
The standard itself is part of the ISO 27000 series of IS management standards. These standards all share a focus on Information Systems Management (ISM), with ISO 27001, originally dubbed BS7799, included in this family of ISO standards when the organization officially began adding ISMS standardsi.
So, what does ISO 27001 do, exactly?
The standard suggests methods and practices of implementing information security in organizations. It provides flexible guidelines – targeted at all companies, irrespective of sector or size – for how methods and practices should be implemented.
What’s more, ISO 27001 also provides a means of enabling secure, reliable communications of security risk.
Included in the standard are concrete requirements ISMS’s must fulfill to achieve certification. Although concrete, the specifications are broad. Specific requirements aren’t provided in the generic standard, so it can remain suitable to all organizations.
Indeed, requirements, as they are in all other ISO standards, are left to individual companies to develop and implement – in the case of the ISO 27000 series, ISO 27002 establishes supplementary guidelinesii.
What ISO 27001 does outline, though, are the broad requirements for planning, implementation, operation, and continuous monitoring and improving of a process oriented ISMS. To this end, the standard calls on all organizations to identify and assess their risks, as well as define control objectives (for physical security among other matters).
That’s not all. The standard also emphasizes the necessity of adequate training as a prerequisite for implementing then communicating security procedure. That procedure must be continuously monitored, checked on, and improved upon, to ensure the effectiveness and efficiency of the ISMS.
Who’s responsible?
Here, the standard tasks senior management – not just top executives but business line owners, as well – with the control of the end-to-end certification and implementation process.
That process, in its entirety, consists of determination of security policy, definition of roles and responsibilities, recruitment and preparation of necessary personnel and material resources, as well as decisions on risk management.
ISO 27001 was originally published in 2012. Of course, much has changed in the information management space since then. And this vertiginous pace of change prompted experts to update the standard and establish a more modern information security assessment framework.
So, what are some of the key changes?
For one, the new ISO/IEC 27001:2022 more clearly emphasizes process orientation in information security managementiii.
Another change in emphasis is the increased centrality of risk management – the latter demonstrated by the below:
Security management is all about execution, though. That’s where controls come in.
The original standard included an appendix replete with detailed security controls for multiple security risk points. The updated standard does, as well, revising many of the earlier controls for an era of increased security risk.
Specifically, the updated standard adds 11 new controls. Meanwhile, 24 existing controls get combined, and 58 controls get modifications.
Where do physical security controls (including people) factor among these changes? Information assets, as is known, exist in physical space, manipulated by personnel. Those facts leave assets vulnerable despite the most stringent (purely) information security measures.
Like the original, the updated standard dedicates time to discussing physical and environmental security control objectives and controls as well as the role of people. But unlike the original, the updated standard singles out physical security monitoring.
The recommended control to effect serious physical security monitoring is to continuously monitor all premises for unauthorized physical access.
What are some other controls for physical assets and people, recycled from the original or otherwise? The full list includes:
Physical controls | Control |
Physical security perimeters | Security perimeters shall be defined and used to protect areas that contain information and other associated assets. |
Physical entry | Secure areas shall be protected by appropriate entry controls and access points. |
Securing offices, rooms, and facilities | Physical security for offices, rooms and facilities shall be designed and implemented. |
Physical security monitoring | Premises shall be continuously monitored for unauthorized physical access. |
Protecting against physical and environmental threats | Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented. |
Working in secure areas | Security measures for working in secure areas shall be designed and implemented. |
Clear desk and clear screen | Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced. |
Equipment sitting and protection | Equipment shall be sited securely and protected. |
Security of assets off-premises | Off-site assets shall be protected. |
Storage media | Storage media shall be managed through their life cycle of acquisition, use, transportation, and disposal in accordance with the organization’s classification scheme and handling requirements. |
Supporting utilities | Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities. |
Cabling security | Cables carrying power, data or supporting information services shall be protected from interception, interference, or damage. |
Equipment maintenance | Equipment shall be maintained correctly to ensure availability, integrity, and confidentiality of information. |
Secure disposal or re-use of equipment | Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. |
Screening | Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
Terms and conditions of employment | The employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security. |
Information security awareness, education, and training | Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. |
Disciplinary process | A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. |
Responsibilities after termination or change of employment | Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced, and communicated to relevant personnel and other interested parties. |
Confidentiality or non-disclosure agreements | Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed, and signed by personnel and other relevant interested parties. |
Remote working | Security measures shall be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organization’s premises. |
Information security event reporting | The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. |
Organizational controls often fall within the category of physical controls, as well. Changes occurred in these controls, as well.
For instance, the updated standard adds a new threat intelligence control. This control mandates the collection and analysis of all information relating to information security threats with the intent of producing complete threat intelligence.
Another significant addition: the updated standard tacitly emphasizes the impact of information assets on an organization’s larger business continuity. As a result, a new ICT readiness for business continuity control was added.
So, what’s the timeline for transition? For organizations currently certified, the transition from the 2013 standard will take three years.
To get started, though, organizations should examine the new controls, update their analysis and assessment of risk, and then choose the most appropriate controls to reduce risk, while updating their ISMS policy as is necessary.
The larger point, however, is that the revised standard sheds light on the deteriorating security risk picture. All organizations, previously certified or not, should be paying attention. Besides pursuing or updating certification, these organizations should also be considering the right operational security management software platform to manage all aspects of security operations from anywhere, on any device. That way, in the face of stark security threats, organizations can deploy resources effectively and efficiently when incidents happen.
i. Varun Arora, Carnegie Mellon University: Comparing different information security standards: COBIT vs. ISO 27001. Available at https://s3.amazonaws.com/academia.edu.documents/31868881/CPUCIS2010-1.pdf?response-content-disposition=inline%3B%20 filename%3DCPUCIS2010_1.pdf&X-Amz-Algorithm=AWS4-HMAC SHA256&X-Amz-Credential=AKIAIWOWYYGZ2Y53UL3A%2F20200226%2Fuseast-1%2Fs3%2Faws4_request&X-Amz-Date=20200226T212220Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X Amz-Signature=a9b785 daecd2dacc383fbedf95d42e76c9eeb6ebca0ce79459de4a86864e63aa
ii. Georg Disterer, Journal of Information Security: ISO/IEC 27000, 27001 and 27002 for Information Security Management. Available at https://serwiss.bib.hs hannover.de/frontdoor/deliver/index/docId/938/file/ISOIEC_27000_27001_and_27002_for_Information_Security_ Management.pdf.
iii. Deepti Sachdeva, Security Boulevard: ISO/IEC 27001 – What’s new in Pipeline. Available at https://securityboulevard.com/2022/11/iso-iec-27001-whats-new-in-pipeline/