In this post “ISO 27001 Cybersecurity Framework” we will talk about the following:
- What is ISO 27001?
- What is ISMS?
- ISO 27001 Structure
- ISO 27001 Controls
- ISO 27001 Requirements
- ISO 27001 Benefits
What is ISO 27001?
ISO is the International Standard for Information Security. It identifies the requirements and specifications for an Information Security Management System (ISMS).
What is ISMS?
ISMS is a comprehensive approach that secures the CIA (i.e. Confidentiality, Integrity, and Availability) of the organization information assets. ISMS is a comprehensive approach that secures the CIA (i.e. Confidentiality, Integrity, and Availability) of the organization information assets. ISMS is made up of policies and procedures that involve people, processes, and technology.
ISO 27001 Structure
ISO has two parts: the first part contains eleven clauses, the second part called Annex A, which provides 114 control objectives and control as a guideline.
ISO 27001 Controls
Controls are the practices that are implemented to reduce risks. Controls can be organizational, physical, human, technical, and many more. Here is the list of Annex A of ISO 27001.
A.5. Information security policies
A.6. Organization of information security
A.7. Human resource security
A.8. Asset management
A.9. Access control
A.11. Physical and environmental security
A.12. Operations security
A.13. Communications security
A.14. System acquisition, development and maintenance
A.15. Supplier relationships
A.16. Information security incident management
A.17. Information security aspects of business continuity management
ISO 27001 Requirements
The main requirements are stated in clauses 4 to 10.
Clause 4: Understanding the organization context
Clause 5: Leadership and Commitment
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement
ISO 27001 Benefits
ISO 27001 has several benefits. Some of these benefits are:
- Reduce security costs
- Respond to threats
- Protect data
- Increase organization’s resilience to attacks
In this post we have defined ISO 27001 and ISMS. Also, we have mentioned the structure of ISO 27001, controls, requirements, and benefits.
Organizations have a lot of ways to manage governance, risk management and compliance (GRC) requirements, one of them is adapting one of the proven security frameworks to serve as control means, and mobilizing resources to achieve ISO certification in ISO 27001. As one of the benefits of it will be served as 3rd party endorsement, as ongoing demonstration compliance to be certified is needed, which helps to boost public and market confidence in the organization.
Be noted that demonstrated compliance is one thing, whether or not the company employee possesses the capability to perform all the activity in the controls or not is another thing. Few of the common areas when I talk and discuss with clients, I know they are in paper certified or trully possess the strong team to back the ISO 27001, as it will uncover during interview and consulting time. For example, are they really capable to identify assets, prioritize, work out the threat modeling, and capable and possess technical know-how to conduct technical vulnerability management and penetration testing or just used the “automated” tool to perform scan, and they are not even know in exactly what being “automated test” in backed. Then there is a major security breach, everyone is trying to point fingers at the other team, which in reality, the team is without possession and even brother to upgrade their skills to cope with changing technology and new kind of vulnerability and exploit. Or they are not even capable of demonstrating to their developer team where the vulnerability exists, show them the exploit so they know exactly how to focus their energy for fixing the application code.
Most of the time no one will bother whether you are capable or not, as long as you are not creating problems for others. The world is moving faster and more new competency required, and if you do not possess what needed, sooner or later, the disaster moment will uncover the truth, and the damage will be very costing to be remediate, for instance, security breach incident that due to someone overlook and do not how to perform needed action. Do not trust tool, they are tool, regardless for how expensive it is, it is tool decide to be use by human, in the hand of experience, knowledgeable user, that what the tool design for.
Perform internal audit, performance appraisal to demonstrate employees possess the needed skill, or provide them closing gap training or workshop to boost their skills, is important. Product, technology and tools are just part of the answer, as everyone knows. So today act now and discuss with E-SPIN to conduct an IT cybersecurity skill audit for your team, and from the result work out a closing gap training and workshop or talk with E-SPIN for holistic cybersecurity testing solution to complement current practice or enhance existing practice.