Monday, May 3, 2021

ISO/IEC 27001. Information Security Management System

 ISO/IEC 27001 is one of the world's most popular standards. It demonstrates a company can be trusted with information because it has sufficient controls in place to protect it. Many tech giants, financial institutions, health services providers, insurance companies, education institutions, manufacturing and service companies, large and small business around the world have this standard in place in order to have it as a proof of their capability to protect the confidentiality, integrity and availability of the information they process.

The management system requirements of ISO/IEC 27001 cover macro issues of 

  1. the context of the organization, 
  2. leadership, 
  3. information security policy and objectives, 
  4. information security risk assessment and treatment, 
  5. competence and awareness, 
  6. documented information, 
  7. operational planning and control, 
  8. internal audit, 
  9. management review, 
  10. nonconformity and corrective action 

Then there is these controls from Annex A of ISO/IEC 27001 - there are 114 information security controls. The topics include aspects such as: 
  1. Information security policies, 
  2. organization of information security, 
  3. mobile devices and teleworking, 
  4. security of human resources, 
  5. asset management, 
  6. classification of information, 
  7. media handling, 
  8. access control, 
  9. user responsibilities, 
  10. system and application access control, 
  11. cryptography, 
  12. physical and environmental security, 
  13. equipment security, 
  14. operations security, 
  15. protection from malware, 
  16. backup, 
  17. logging and monitoring, 
  18. control of operational software, 
  19. technical vulnerability management, 
  20. communications security, 
  21. network security management, 
  22. information transfer, 
  23. system acquisition, 
  24. development and maintenance, 
  25. security in development and support, 
  26. supplier relationships, 
  27. incident management, 
  28. information security as part of business continuity management, 
  29. redundancies and compliance.
Here are some links:
https://www.iso.org/isoiec-27001-information-security.html
https://www.iso.org/certification.html

No comments:

Post a Comment