in ,

BS EN ISO/IEC 27001:2017 Explained

Image by Gerd Altmann from Pixabay

Since their inception in the early 1990s, global information security standards have grown in rigor and recognition. So too have information security threats and the best ways to manage them.

The BS EN ISO/IEC 27001:2017 standard reflects current best practice for information security management. It provides specific recommendations to help you establish an ISMS, monitor its performance and implement improvements when necessary. It also enables external assessment and certification of an organization’s information security.

What is this standard about?

BS EN ISO/IEC 27001:2017 is the internationally acclaimed standard for information security management. It is the baseline standard of the ISO 27000 series of international information security management standards and the foundation standard for implementing an Information Security Management System (ISMS).

Who is this standard for?

Anyone planning to build, operate, audit or certify an ISMS system. It will also be useful to anyone with an interest in integrated management systems, or a general interest in assessing information security measures.

Why should you use this standard?

This standard is not unnecessarily prescriptive, allowing great flexibility in how requirements are satisfied and giving organizations freedom to implement requirements in a manner best suited to them.

It uses BS EN ISO/IEC 27002:2017, a Code of Practice for information security controls – with which it fully aligns – as its source of possible security measures.

BS EN ISO/IEC 27001 and BS EN ISO/IEC 27002 are supported by a wide range of other specialist standards in the 27000 series.

What’s changed since the last update?

This is a technical update of the previous edition. In addition it follows the new high level structure common to all recent management system standards. This allows easy integration when implementing more than one management system within your organization, for example when combining information security with quality (BS EN ISO 9001:2015) or environmental management (BS EN ISO 14001:2015).

Why do you need the BS EN ISO/IEC 27001:2017?

ISO 27001 is the international market benchmark for information security management. It provides:

  • a model for ready-made security procedures, controls and a framework for information security in organizational IT;
  • access to independent certification and assessment organizations;
  • business knowledge;
  • a methodology for common management system standards to ensure interoperability;
  • recognition to foreign governments; and
  • an extended lifespan.

An ISMS allows your organization to:

  • optimize its information security practices;
  • achieve and maintain a competitive advantage;
  • develop and implement appropriate risk management strategies;
  • improve the quality of your information systems.

How does it enrich your organization’s security?

ISO 27001 benefits customers and other stakeholders by enhancing your information security and consequently the quality and acceptance rate of your IT services and products. Ultimately, ISO 27001 is what your customers want to see.

Why do you need ISO 27001?

Information security is becoming increasingly important to businesses today with the growth of internet technology. Customers want peace of mind that their personal or company information is safe and secure and ISO 27001 gives assurance of this.

ISO 27001 will greatly increase the chance of a sale to a potential client and give assurance that your business is credible, reliable and can be trusted.

How does it benefit your organization?

ISO 27001 will help to prevent malicious attacks from your customers, and to improve your security posture. It will also reduce the risk of fines, customer fraud and perhaps even litigation.

Is ISO 27001 relevant to data security?

ISO 27001 is the best standard for data security in the world. ISO 27001 is the only information security management standard that includes the data security management processes to an integrated data security approach.

Will ISO 27001 help me obtain insurance coverage?

Many world leading organizations, such as the UK Ministry of Defense, Lloyds of London, The Bank of England and BAE Systems indicate that they are willing to gladly accept ISO 27001 certification as an assurance of their information security. The ISO 27001 certificate is, therefore, a huge advantage in achieving business continuity and insurance.

Will ISO 27001 save me from incidents such as a data breach?

No one can guarantee to be 100 percent safe from incidents such as a data breach. Nevertheless, the ISO 27001 Information Security Management System (ISMS) is the best method known to prevent the occurrence of incident such as a data breach.

What are the normal safeguards against a data breach?

The normal safeguards against a data breach are:

  • Physical security: Controls for physical access to premises and storage locations.
  • Electronic security: Controls for the use of computers and infrastructure.

What purpose does the ISO 27001 Information Security Management System (ISMS) serve?

The purpose of the ISO 27001 ISMS is to protect all of the information assets within an organization. Assets may be customer/client information, trade/business information, financial information, staff information and any company information that is vital to its operation.

Are there many types of ISO 27001 ISMS certification?

There are two main types of ISO 27001 certification: Organizational Certification and Asset Certification. Organizational Certification is for the whole organization and can in turn be certified under ISO 27001:2013, ISO 27001:2015 or ISO 27001:2017. Asset Certification is for an individual organization asset such as a data center or server room. Asset Certification is under ISO 27001:2013, ISO 27001:2015 and ISO 27001:2017. There is also a third type of certification under ISO 27001:2013 and ISO 27001:2015 and that is Registration. Registration is for an additional organization asset and is under ISO 27001:2013 and ISO 27001:2015.

What is required for ISO 27001 certification?

All organizations need to complete self-assessments, make the required changes and certifications to achieve certification.

The required self-assessments are:

  • Appendix A | Planning and Control of ISMS implementation;
  • Appendix B | Organization of ISMS;
  • Appendix C | Risk Assessment;
  • Appendix D and E | Implementation of ISMS;
  • Appendix F | ISMS change control;
  • Appendix G | Documentation.

These self-assessments will give an organization confirmation about its security.

What certification bodies are ISO 27001 certified?

There are over 200 certification bodies worldwide. The Certification Bodies or Overseas Registration Bodies (RBO) that are Exemplary are:

  • BSI (British Standards Institute),
  • ANSI (American National Standards Institute),
  • CSA (Canadian Standards Association),
  • QCA (Queensland Certification Authority).
Photo by Alvaro Reyes on Unsplash

BS 8624:2019 Continual improvement: Methods for quantification

Image by SAMUEL GABRIEL from Pixabay

Complete Guide to the PD CEN/TS 16850:2015 Standard: Societal and Citizen Security. Guidance for managing security in healthcare facilities