The topic of information security is widely discussed and evidenced in the corporate environment, since information is considered one of the most valuable assets for organizations, regardless of their segment or size. The importance of information expanded the need for development of a standardized structure for the implementation and operation of information security concepts. Coming to this demand, global organizations (ISO/IEC) have initiated the development of some standards, originating the ISO 27000 family, which standardizes activities related to the implementation and operation of Information Security Management Systems (ISMS).
Below we will present a general overview of the ISO 27000 standard, starting with its history and discussing the general characteristics of the standard, contextualizing ISMS (Information Security Management System), as well as its importance and benefits for organizations.
A bit of history
In 1995, it was published the British Standard BS 7799, which gave rise to the ISO 27000 series. After a few years, in 1999, the BS 7799 undergoes a revision, generating standards BS 7799-1: Code of practice for information security management, BS 7799-2: Information Security Management System and BS 7799-3: Guidelines for Risk Management.
In the year 2000 the standard BS 7799-1 is now identified as ISO 17799. During the period from 2001 to 2004 the ISO 17799 standard was extensively revised, resulting in a new ISO/IEC 17799: 2005 version, published in June 2005 In the same year, BS 7799-2 was adopted by ISO, receiving the numbering 27000, starting the series aimed at standardization for the segment of information security, released as ISO/IEC 27001. In July 2007, the 17799:2005 standard was renumbered (ISO/IEC 27002:2005), integrating the ISO 27000 series. The evolution of the 27000 family did not stop there, as we will see in this article.
ISO (The International Organization for Standardization) and IEC (International Electrotechnical Commission) organizations maintain expert teams dedicated to the development of international standards, enabling organizations to implement appropriate structures for managing their information assets, such as financial information, intellectual property, data of employees, customers or third parties, that is, any information that brings value to the corporations..
ISO 27000 standards enable organizations of all types and sizes to implement and operate an Information Security Management System (ISMS). For this purpose, the international standards are ordered according to numbering, as listed below:
ISO/IEC 27000: Information Security Management System – Overview and vocabulary
ISO/IEC 27001: Information Security Management System – Requirements
ISO/IEC 27002: Code of Practices for Information Security Controls
ISO/IEC 27003: Implementation Guide for the Information Security Management System
ISO/IEC 27004: Information Security Management – Measurement
ISO/IEC 27005: Information Security Risk Management
ISO/IEC 27006: Requirements for auditing companies and certification of Information Security Management Systems
ISO/IEC 27007: Audit Guidelines on Information Security Management Systems
ISO/IEC TR 27008: Guidelines for auditors on information security control
ISO/IEC 27010: Information security management for inter-sector and inter-organizational communications
ISO/IEC 27011: Guidelines for information security management in telecommunication organizations based on ISO/IEC 27002
ISO/IEC 27013: Guidelines for the Integrated Implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO/IEC 27014: Governance of information security
ISO/IEC TR 27015: Guidelines for the management of information security in financial services
ISO/IEC TR 27016: Guidelines for the management of information security – Economy companies
Scope 27000 Family
The international standards, belonging to the 27000 family, serve as the basis for the creation and operation of Information Security Management Systems (ISMS). The model is the result of the consensus among experts, considered the state of the art regarding standardization for the information security segment.
The purpose of the standard in question is to present a general overview on the system for information security management, bringing readers into the technical terms used during the standardization process.
Terms and definitions
In the official ISO 27000 papers you can consult a multitude of terms and definitions used in the standardization process. Because it is a more extensive topic, we will not address this issue in our article, but we will leave the link to support those who have an interest in delving into this subject (ISO/IEC 27000 – click here).
Information Security Management System (ISMS)
An Information Security Management System concentrates policies, procedures, guidelines and resources for joint management, on the protection of information assets of organizations. In addition, ISMS consolidates a systematic approach for establishing, implementing, operating, monitoring, revising and improving information security, in line with strategic business goals. The ISMS is based on concepts of evaluation and acceptance of risks, allowing their effective management, in the company’s daily routine.
Key foundations for successful implementation of ISMS:
- Creating awareness about the need for information security;
- Establishing personnel responsible for information security;
- Incorporating the management commitment and intermediate the interests of employees;
- Strengthening social values;
- Evaluating risks carefully, to establish appropriate controls and obtain acceptable levels for organization;
- Addressing information security as an essential element in networks and systems;
- Actively participate in the prevention and detection of information security incidents;
- Ensuring a comprehensive approach to information security management and establish continuous assessment methods, promoting modifications according to the needs of the business.
Importance of ISMS
In an interconnected world, processes and resources associated to information are business-critical assets. Organizations, and their systems, face a range of security threats of a variety of types, including espionage, sabotage, terrorism, natural disasters difficult to anticipate, as well as attacks on information systems and communication networks increasingly difficult to identify and prevent. For the reasons listed, the implementation of ISMS characterizes strong support for risk management in organizations.
The adoption of ISMS by a company, regardless of its size, should involve internal employees, partners and suppliers, giving total consistency to the process. It is important to emphasize the information systems used by the company must have alignment with the appropriate technical norms, bringing conformity to the business.
Another very important detail to be mentioned is that technical possibilities related to information security are unlimited, however in some cases, technical concepts need to be supported in procedures handled by the context of the ISMS.
Critical success factors
There are many factors of influence the success of implementing ISMS, but one of the main guidelines is associated with the total engagement of the ISMS with the strategic goals of the business, in order to fully serve them.
The ISMS must be present in the organizational culture of the company, having support from all levels of management, especially senior management. It is also necessary an understanding of the requirements for information protection and risk management, through the global awareness of employees, the implementation of programs to educate them, establish standards, rules, making clear the role of everyone in the process of consolidating the ISMS. In addition to the activities listed, it is extremely important to create methodology for managing information security incidents and business continuity. Finally, establishing a system for measuring ISMS performance, including feedback and process improvements, is of great value.
Benefits of ISMS – 27000 Family
The main goal associated with the implementation of ISMS in the organization is to reduce the probability and/or impact caused by information security incidents, but other benefits can be highlighted, as follows:
- Method organized to support the process of specifying, implementing, operating and maintaining an Information Security Management System (ISMS);
- Assistance in managing information security within the context of risk, management and governance;
- Alignment to concepts and best practices adopted globally, in a non-prescriptive way, allowing adaptation according to the specific needs of each business;
- Credibility in the organization with employees and the market;
- More effective management of information security investments;
The information presented in this article is introductory, serving as a reference for in-depth studies on the ISO 2700 standard, and other norms belonging to that family.
Stay tuned for upcoming articles; enhance your knowledge of the 27000 family of standards.
[latest_post type=’boxes’ number_of_posts=’3′ number_of_colums=’3′ order_by=’date’ order=’ASC’ category=’problem-recognition’ text_length=’100′ title_tag=’h4′ display_category=’0′ display_time=’0′ display_comments=’0′ display_like=’0′ display_share=’0′]