What is ISO 27001 all about.
ISO 27001 (formally known as ISO/IEC 27001:2005) is a set of rules or can say framework of policies for an information security management system (ISMS). The standard procedures includes all legal, physical and technical controls involved in an organisation's information risk assessment and management processes.
Basically , ISO 27001 was developed and introduced to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system." The ISO 27001 is risk-based approach and its technology neutral.
The specification defines a six-part planning process:
Define a security policy.
Define the scope of the ISMS.
Conduct a risk assessment.
Manage identified risks.
Select control objectives and controls to be implemented.
Prepare a statement of applicability.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation including the stake holders.
The ISO 27001 standard does not sets specific information security controls, but it provides a checklist of controls that should be taken into consideration while practicing ISO27001 security controls.
ISO 27001 checklist contains 12 main categories which are mentioned below.
1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance
Organisations, big or small , are required to adapt these controls appropriately in line with their specific risks.
Third-party vendor certification is recommended for ISO 27001 implementation.
Other standards being developed in the 27000 family are:
27003 – implementation guidance.
27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
27005 – an information security risk management standard.
27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies.
27007 – ISMS auditing guideline.
READ MORE --https://covid19guide2020.blogspot.com/2020/05/cyber-threats-are-on-rise-as-more.html
0 Comments