Information Security Management System (ISO/IEC 27001)
This standard defines the requirements for the development, establishment, and documentation of an information security management system (ISMS) with the aim of identifying, managing, and minimizing threats to an organization’s valuable information. Initially established as a British Standard by the UK Department of Trade and Industry in 1995 and revised in 1999, it has since evolved into one of the most authoritative international certification standards in the field of information security, having been adopted as an international standard by the International Organization for Standardization (ISO).
It covers 11 areas and 133 controls related to information security, including information security policy, physical security, and access control.
Necessity of an Information Security Management System
- Increasing dependence on information processing through information systems across all sectors of society
- Rising trend of losses due to insufficient protection measures for information systems
- The need is further heightened due to environmental changes such as the advancement of information systems and interconnection of open systems.
- The increasing sophistication and diversification of electronic intrusions make it difficult to effectively respond to various information threats.
- Growing user requirements for information security
- The establishment of international standards for information security management may act as an “invisible technical barrier” in future international transactions.
Effects of an Information Security Management System
- Enhances customer satisfaction by securely protecting customer information
- Ensures business stability through risk management, legal compliance, and proactive response to future security issues and concerns
- Understanding how legal and regulatory requirements affect your organization and clients, and how to reduce risks associated with legal sanctions
- Ensures that customer records, financial information, and intellectual property are protected from loss, theft, and damage through a structured framework
- Establishes credibility through independent verification against recognized global industry standards
- Certification enables business expansion, as clients often require certificates as a condition for delivery
Components of an Information Security Management System (ISMS)
| Requirement number | Title | |
|---|---|---|
| 4. Context of the Organization | 4.1 | Understanding the organization and its context |
| 4.2 | Understanding the needs and expectations of interested parties | |
| 4.3 | Determination of the scope of the Information Security Management System | |
| 4.4 | Information Security Management System (ISMS) | |
| 5. Leadership | 5.1 | Leadership and commitment |
| 5.2 | Policy | |
| 5.3 | Organizational roles, responsibilities, and authorities | |
| 6. Planning | 6.1 | Actions to address risks and opportunities |
| 6.2 | Quality objectives and planning to achieve them | |
| 7. Support | 7.1 | Resources |
| 7.2 | Competence | |
| 7.3 | Awareness | |
| 7.4 | Communication | |
| 7.5 | Documented information | |
| 8. Operation | 8.1 | Operational planning and control |
| 8.2 | Information security risk assessment | |
| 8.3 | Information security risk treatment | |
| 9. Performance Evaluation | 9.1 | Monitoring, measurement, analysis, and evaluation |
| 9.2 | Internal audit | |
| 9.3 | Management review | |
| 10. Improvement | 10.1 | Nonconformity and corrective action |
| 10.2 | Continual improvement | |