ISO 27001 and Complementary Standards
The ISO 27000 family of information security management standards is a set of information security standards that are mutually supportive and may be used to build an internationally recognized framework for best-practice information security management.
There are many standards in this family, but to outline a few;
- ISO/IEC 27001 – Requirements, and specifications for setting up an Information security management system (ISMS)
- ISO/IEC 27002 – List information security controls for information security, cybersecurity and privacy protection. Also, a supporting standard to 27001, helps to implement it.
- ISO/IEC 27005 – Describes how to conduct an information security risk assessment in accordance with the standard of ISO/IEC 27001
The beautiful thing about this collection of control frameworks is that it’s really flexible and allows an organization to incorporate their style and strategies into its use. The framework is all-encompassing, cutting across every area as regard risk, its management and compliance. Despite the numerous controls in some standards of the family, a company simply needs to select the ones needed.
- ISO/IEC 27001
ISO 27001 is a framework that aids enterprises in establishing, implementing, operating, monitoring, reviewing, maintaining, and constantly improving an Information Security Management System (ISMS).
An ISMS is a policy and procedural framework that covers all legal, physical, and technical controls involved in an organization’s information risk management activities.
This regulation, like many other ISO standards, is not mandatory. However, compliance with this helps an organization to align its information security practices with industry best practices and also provides uniformity across various enterprises.
There are other perks to compliance too. For example, implementing the ISO/IEC 27001 in an organization automatically allows such organization to meet up to data protection laws and regulations, such as the GDPR (General Data Protection Regulation), NDPR (Nigeria Data Protection Regulation) and the NISR (Network and Information Systems Regulations). So when data breaches occur and there’s an inquisition done in order to probe the cause and accompanying inadequacies leading to the breach, the organisation would be found faultless, having done their due diligence. This will help save a whole lot of litigation money for them.
This standard has ten management clauses, and these list 114 controls in total; 1. Scope 2. Normative references 3. Terms and definitions 4. Context 5. Leadership 6. Planning and risk management 7. Support 8. Operations 9. Performance evaluation 10. Improvement.
As you can see here, the ISO/IEC 27001 doesn’t direct its focus to technology only. It recognizes that there’re 3 key players in the INFOSEC game; People, Processes and Technology. So the controls are channelled accordingly, to help an organization effectively manage the security of their information.
Another thing worthy of note about this standard is its flexibility. It’s impossible for an organization to use all 114 controls, so this standard gives room for an organization to mould it to fit its unique business needs.
Irrespective of size, function and business focus, as long as you have information to protect, the ISO/IEC 27001 is suitable for you.
- ISO/IEC 27002
This standard is supplementary to the ISO/IEC 27001, allowing for its effective implementation. It addresses a set of controls for the protection of information security and serves as a reference to implement these controls in an ISMS, that conforms with its parent standard. This can be at the start, development or maintenance stages. So apparently, ISO/IEC 27002 can’t be used as a standalone.
The focus is on 14 security controls listed in Annex A of the ISO/IEC 27001 standard, numbering from A5 to A18. These are:
- Information Security Policies (A.5)
- Organization of Information Security (A.6)
- Human Resource Security (A.7)
- Asset Management (A.8)
- Access Control (A.9)
- Cryptography (A.10)
- Physical and environmental security (A.11)
- Operation Security (A.12)
- Communication security (A.13)
- System acquisition, development and maintenance (A.14)
- Supplier relationships (A.15)
- Information security incident management (A.16)
- Information security aspects of business continuity management (A.17)
- Compliance (A.18)
The ISO/IEC 27002 standard all culminates into one single goal, defining information security in terms of the CIA triad: confidentiality (ensuring that information is only accessible to those authorized to have access); integrity (ensuring the accuracy and completeness of the information and its processing methods); and availability (ensuring that authorized users have access to information and associated assets when required).
- ISO/IEC 27005
Just like the other members of its family, the ISO/IEC 27005 standard is interconnected with ISO/IEC 27001. Essentially, it provides a description of conducting a risk assessment, in accordance with ISO/IEC 27001 standard.
The standard provides guidance on systematically detecting, analyzing, evaluating, and treating information security risks, which are procedures central to an ISO/IEC 27001 Information Security Management System (ISMS). Its goal is to guarantee that businesses logically design, implement, manage, monitor, and maintain their information security controls and other arrangements in accordance with their information security risks.
Therefore, adopting the ISO/IEC 27005 will ensure satisfactory implementation of information security in alignment with the risk-based approach of the ISO/IEC 27001 standard.
To conduct a risk assessment systematically, there are 3 general stages:
- Risk identification: The organization has to identify the assets they possess, the kind of vulnerabilities they have, the threats they’re likely to face and factors that could affect the organization. Then they’ll be able to identify the risks they’re exposed to. The risks identified are unique to the organization.
- Risk Analysis: Here, we want to comprehend the nature of the risk identified. The inherent characteristics, such as how severe it is, its complexity, sources, probability of it occurring and effective controls to successfully manage it.
- Risk Evaluation: In this stage, the organization would determine what action to take by taking into consideration the results from the risk analysis, the existing risk criteria and the organizational objectives. Going forward, the organization would then implement effective risk management strategies, suitable for the business’s needs.
As with other standards in this family, the ISO/IEC 27005 is dynamic and flexible, suitable for all kinds of organizations and can be exquisitely tailored to fit each’s unique needs.
Organizations no longer need to worry about incorporating information security into their organizational processes because these established, globally recognized standards are in place.
So make an informed decision today and get your business assets secured and protected.