- Establishing an Information Security Management System in order to minimize risks related to information.
- Continual improvement of ISMS.
- Demonstrate conformity with the organization’s own security policy.
- Demonstrate conformity with applicable legal requirements.
- Having the ISMS certified/registered by an external organization.
- Determining the organization’s own ISMS. Level and declaring conformity with ISO 27001 standard.
Motivation and benefits
In today’s competitive business environment, information is constantly under threat from many sources irrespective of an organization’s size and the market it operates in. The security of information assets is crucial to all organizations and requires effective management.
No matter how secure and well protected an organization appears to be, information can be leaked without you even realizing until it’s too late. All information in all departments, whether stored on a computer, in paper or in the heads of those you employ, is at risk from any number of very real threats. Information Security is not just an issue for IT managers- a single breach of information security could cost you hard earned profits while doing irreparable damage to your image and reputation. Your capacity to trade profitability depends on your ability to effectively manage the risks to information.
As the number of reported information security breached consistently increases, the need for a structured approach to management of information security intensifies. An Information Security Management System (ISMS) based on ISO 27001 will provide a well-proven framework to initiate, implement, maintain and manage information security within an organization.
ISO 27001 is the internationally recognized standard for setting out the requirements for ISMS. It helps identify, manage and minimize the range of threats to which information is regularly subjected. The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties including an organization’s customers and suppliers.
It uses a risk-based approach to managing information security, which ensures that results are both appropriate and affordable to the organization. It also incorporates the proven Plan-Do-Check-Act (PDCA) cycle, which enables an organization to continually improve its information security management and meet the changing legal and regulatory requirements for information security.
Information Security Management System helps to protect IT systems and other critical information of the organization against the threat of loss, theft and damage.
An organization certified to ISO 27001 enjoys higher confidence among customers. Elements of ISO 27001 can be combined to a comprehensive management system with those of ISO 9001 and ISO 20000.
- Enhance Security of Information
- Improve Confidence in Stake Holders
- Control Security Incidents
- Save Security Costs
- Improve Market Share
- Enhance Customer Satisfaction
- IT & ITES
- Banks, Insurance companies & Financial Institution
- Telecom Industry
- Manufacturing and service industry
- Public Sector Units
- Government organizations
The Management System ISO 27001 includes requirements for Information Security Management System which help the organizations to manage their information security risks and improve their performance.
The Information Security Management System ISO 27001 can be applied by any organization. All requirements stated in the present ISO 27001 standards are intended to be taken over to ISMS. The extent to which they are used depends on such factors as the Security Policy of the organization concerned, the organization’s activities and assets, the risks and the complexity of the operations and processes.
In order to be certified according to ISO 27001, an organization must fulfill the following criteria:
- Elaborating a Information Security Policy
- Establishing a Security organization
- Maintaining a comprehensive inventory of assets with classification and responsibility assigned.
- Making a risk analysis, planning, setting objectives and establishing a programme for reducing the number and scope of security incidents in the organization
- Having a clear and concise definition of the physical and environmental security requirements for the organization’s premises and the people within them
- Developing and maintaining business contingency plans which protect critical business processes from major disasters or failures.
- Demonstrating to clients, employees and the authorities of your commitment to meet statutory or regulatory information security requirements.
- Integrating the requirements in the business processes
- Internal auditing and periodic management review of the system
Quality Austria in co-operation with CIS (Certification & Information Security Services GmbH) is accredited for certifying organizations according to ISO 27001:2013.
Other Relevant Standards
ISO 9001, ISO 20000, BS 25999, ISO 31000.