ISO/IEC 27001:2013 is the standard for
Information Security Management; ISO 27001 is part of the ISO 27000 family of
standards which helps organizations keep information assets secure. It is used
by thousands of companies worldwide and allows them to establish a clear
effective system for maintaining confidential data so that it is safe and
secure, yet, available. This standard combines requirements for the security of
procedures, the workforce, as well as the physical and technical aspects of the
company.
As defined by the International
Organization for Standardization, ISO/IEC 27001:2013 standard specifies the
requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of the
organization. It also includes requirements for the assessment and treatment of
information security risks tailored to the needs of the organization. The
requirements set out in ISO/IEC 27001:2013 are generic and are intended to be
applicable to all organizations, regardless of type, size or nature.
There are a number of important business
benefits in adopting ISO 27001, whether applying it as a best practice or
getting an official certification. Here is an info graph highlighting the most
important ones.
ISO
27001 Benefits include:
·
Allow
doing business globally
·
Improve
planning and control
·
Achieve
better human relations among different departments.
·
Improves
your ability to recover your operations and continue business as usual
· Reduces likelihood of facing prosecution and fines
·
Define
the scope of the Information Security Management System.
·
Confirm
the commitment of top management with respect to the information security
management system.
·
Structure
and resource your project, including advice on using consultants and an
examination of the tools and resources available to help with your project.
·
Perform
a gap analysis to compare actual performance (or status) with the desired
performance.
·
Assess
the potential risks to your business and identify areas that are vulnerable
·
Perform
information security risk assessments at planned intervals or when significant
changes are proposed or occur.
·
Ensure
that the information security objectives are consistent with the information
security policy.
·
Define
the internal and external communications relevant to the information
security management system.
·
Evaluate
the information security performance and the effectiveness of the information
security management system, maintaining a continual improvement momentum.
·
Implement
information security training and awareness programs.
·
Conduct
a periodic reassessment audits for the Information Security Management System.
·
Review
the organization’s information security management system at planned intervals
to ensure its continuing suitability, adequacy and effectiveness
User questions & answers