International Information Security - ISO 27001
Amy Eikelenboom
Co-founder of NAALA
Published on 27 December, 2021
By: Amy Eikelenboom – Co-Founder at NAALA
Published on 27 December, 2021
With security threats arising in all sectors, international companies are more and more aware of the need to upgrade their information security management. Being active in varying jurisdictions, multiple geographical areas and employing various people, an information security threat can come from several sources. Are you looking for a way to structure your security management efforts in a uniformly recognizable way? The international ISO 27001 norm provides organizations with guidance for the implementation of an information security management system.
Information Security Management System (ISMS)
An ISMS is a holistic approach to the internal activities designed to continuously manage the confidentiality, integrity and available of information. The scope of these activities ranges from hiring employees to secure development and includes both your physical and online security.
The ISMS activities to be implemented follow from an organization wide risk analysis. The goal of these activities is to mitigate potential risks to an acceptable level for the organization. As this is a continuous process, the ISMS can be typified by its plan-do-check-act cycle.
- Plan: the organization must plan organizational objectives related to their information security following from the risk analysis at minimum.
- Do: to ensure these risks are mitigated to an acceptable level, the organization must implement appropriate controls.
- Check: the effectiveness of the implemented controls must be checked to demonstrate that the organization has a continuous grip on its mitigating controls.
- Act: in case additional or new controls are required to mitigate (new) risks, the organization must act on this need, starting the cycle all over again.
Needless to say, the approach is a cycle for a reason: continuous improvement of information security management by responding to (new)risks or other challenges is the cornerstone of implementing an ISMS.
How should you design such ISMS? ISO 27001 gives substance to this cycle by providing ten management system clauses, supplemented with 114 information security controls that support the implementation and maintenance of an ISMS.
Why should you become ISO 27001 certified?
With ISO 27001 it is possible to demonstrate your information security level internationally. The norm is independent from sector and therefore broadly applicable to all types of organizations. Clients may require you to demonstrate ISO 27001 compliance as this allows them to verify that you have implemented an appropriate level of information security.
Nonetheless, the norm can be supplemented by (inter)national sector specific norms. Examples of this are the Dutch NEN 7510 for the healthcare sector and Baseline Informatiebeveiling Overheid for the governmental organizations. Additionally, ISO 27001 can give substance to information security requirements following from, for example, the General Data Protection Regulation (GDPR).
How to become ISO 27001 certified?
First and foremost, it must be defined what will actually be certified and therefore what organizational activities should be controlled.
Depending on the type of organization, some requirements stemming from the ISO 27001 may not be applicable. The substantiation for this must be documented in a Statement of Applicability.
Before you can define how risks must be mitigated, potential risks should first be identified and their potential impact analysed.
After you have defined the potential risks, implementation of the ISO 27001 requirements should be used to mitigate these potential risks. In case additional mitigation is still required, ISO 27001 requirements can be supplemented with additional organization specific controls. The implementation of these controls must be done two-fold:
- Firstly, in the design or the organization which means that appropriate policies and procedures should be available within the organization. You could request NAALA’s ISO 27001 toolkit from us which includes all the pre-written policies, procedures and templates your need.
- Secondly, the controls should be implemented in practice. The measures described in the appropriate policies and procedures should be implemented in the organizational ways of working. This starts by making employees aware of the information security risks and mitigating controls implemented.
Ensure internal competence is available within the organization to manage and maintain the ISMS.
Verify the effectiveness of risk controls. Following your internal information security management plan, the effectiveness and appropriateness of the implemented risk control measures should be determined.
Following either your own internal audit or your external audit, a plan should be drafted demonstrating your continuous improvement of the information security management system.
Implement necessary corrective and preventive actions following incidents and/or audit results.
Numerous laws and regulations include information security requirements. Some are even sector-specific or extend only to public companies. ISO 27001 can definitely be used to give substance to requirements and comes with an added benefit of implementing a management system to ensure compliance. Nonetheless, specific regulations may require additional measures related to the type of data involved, for example personal (health) information. As a law or regulation always prevails over a standard, one must look at the specific legal requirements at hand.
Need help implementing ISO 27001 into your organization?
Please contact us if you wish additional information on our ISO 27001 toolkit or when you are in need of hands-on support.
Questions? We are happy to discuss your specific case.
Related
Following unsure times in the international data transfer area, we finally have guidance with the publishing of the final version of the new Standard Contractual Clauses by the European Commission. Concluding these SCCs is, however, not enough.On a case-by-case basis, parties need to verify adequate protection under EU law of the data transferred.
As a developer of e-health solutions or software as a medical device, you are not only the manufacturer in charge of ensuring the quality of the product. In addition, you’re responsible for information security and data protection. That is why we at NAALA take a holistic approach into ensuring compliance to all requirements while ensuring efficiency of efforts put into compliance. But what does the overlap between MDR, GDPR and information security standards mean? Aren’t these separate processes?
Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.