ISO27001 Information Security Management Executive Overview
Submit Articles Back to Articles
It is generally accepted that information is the greatest
asset any organisation has under its control.
Managing Directors are aware that the supply of complete and accurate
information is vital to the survival of their organisations
Today more and more organisations are realising that information
security is a critical business function. It is not just an
IT function but covers:
With increasing reliance on data, it is clear that only organisations
able to control and protect this data are going to meet the challenges
of the 21st century.
- Risk Management;
- Physical Security;
- Business Continuity;
- Regulatory and Legislative Compliance.
ISO27001:2005 which was formally BS7799 is the International Standard
for Information Security Management (ISMS) and provides a definitive
reference to developing an information security strategy.
Moreover a successful certification to this standard is the
confirmation that the system employed by the organisation meets
internationally recognised standards.
Business has been transformed by the use of IT systems, indeed it has
become central to delivering business efficiently. The use of bespoke
packages, databases and email have allowed businesses to grow while
encouraging remote communication and innovation.
Most businesses rely heavily on IT but critical information extends
well beyond computer systems. It encompasses knowledge
retained by people, paper documents as well as traditional
records held in a variety of media. A
common mistake when incorporating an information security system is to
ignore these elements and concentrate only on the IT issues.
Information security is a whole organisation matter and crosses
departmental boundaries. It is more than just keeping a small
amount of information secret; your very success is becoming more
dependent upon the availability and integrity of critical information
to ensure smooth operation and improved competitiveness.
These are the three requirements for any ISMS.
Managing Directors’ Perspective
Your vision is central to organisational development; driving
improvements in all areas of the business to create value. With
information technology being key to so many change programmes,
effective information security management systems are a prerequisite to
ensuring that systems deliver on their business objectives.
Your leadership can help create the appropriate security culture to
protect your business.
Organisations are increasingly being asked questions about ISO 27001,
particularly by national or local government, professional and the
financial sector. This is being driven by adoption of the
standard as part of their legal and regulatory obligations.
In some areas this is becoming a tender requirement.
Others are seeing a competitive advantage in leading their sector and
using certification in information security management to develop
customer/ client confidence and win new business. With public
concern over security issues at an all time high, there is a real need
to build effective marketing mechanisms to show how your business can
You will certainly be aware of your responsibilities for effective
governance, and be answerable for damaging incidents that can affect
organisational value. The risk assessment, which is the
foundation of the standard is designed to give you a clear picture of
where your risks are and to facilitate effective decision
making. This translates into risk management, not simply risk
reduction and therefore replaces the feeling many directors have of
risk ignorance in this area. This will help you understand
the potential risks involved with the deployment of the latest
information technologies and will enable you to balance the potential
downside with the more obvious benefits.
Whether, as part of compliance, such as required by Professional
Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective
governance, information security is a key component of operational risk
management. It enables the formulation of effective risk
analysis and measurement, combined with transparent reporting of
ongoing security incidents to refine risk decisions.
Giving values to the impact security incidents can have on your
business is vital. Analysis of where you are vulnerable
allows you to measure the probability that you will be hit by security
incidents with direct financial consequences.
An added benefit of the risk assessment process is that it gives you a
thorough analysis of your information assets, how they can be impacted
by attacks on their confidentiality, integrity and availability, and a
measure of their real value to your business.
Although the detail within the risk assessment process can be complex,
it is also possible to translate this into clear priorities and risk
profiles that the Board can make sense of, leading to more effective
financial decision making.
How well would you cope if a disaster affected your business?
This could be from some natural cause such as flood, storm or worse
from fire, terrorism or other civil unrest. The areas not
often considered are sickness, failure of utilities or technology
Business continuity planning in advance of a disaster can mean the
difference between survival or extinction of the business.
Many of the businesses affected by the Bunsfield Fuel Depot disaster
never recovered. Those with an effective business continuity
plan have emerged like the phoenix from the ashes.
Many businesses claim to have a plan but if the plan is untested or ill
prepared then it is bound to fail.
ISO27001 states that a fully planned and tested BCP should be in place
to prepare for and be able to deal with, such an emergency.
ISO 27001 Elements
- Risk assessment and treatment -
Assessing the risks to the company’s assets, devising a risk treatment
plan and finally accepting those risks that cannot be mitigated.
- Security policy - This provides
management direction and support for information security.
- Organisation of information security -
To help manage information security within the organisation.
- Asset management - To help identify
assets and protect them appropriately.
- Human resources security - To reduce the
risks of human error, theft, fraud or misuse of facilities.
- Physical and environmental security - To
prevent unauthorised access, damage and interference to business
premises and information.
- Communications and operations management
- To ensure the correct and secure operation of information processing
- Access control - To control access to
- Information systems acquisition, development and
maintenance - To ensure that security is built into
- Information security incident management -
To deal effectively with any identified security incident.
- Business continuity management - To
counteract interruptions to business activities and to protect critical
business processes from the effects of major failures or disasters.
- Compliance - To avoid breaches of any
criminal and civil law, statutory, regulatory or contractual
obligations, and any security requirement.
About the Author
Chris Eden FIBC, MISSA, ACQI is a director of Quality
Limited an established independent management consultancy based in
Essex, UK which specialises in ISO27001 Information Security
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2012-01-24 13:26:27 in Computer Articles