06 Oct ISO 27001: Essential featuresTempo de leitura: 5 minutos
ISO 27001 is a very relevant standard for companies seeking ISO certification, since it is responsible for specifying how an Information Security Management System (ISMS) should be implemented in corporate environments.
In this article, we will present a brief history about ISO 27001, its main characteristics and scope, as well as general information about the certification process.
The history of the ISO 27001 standard refers to the British Standard 7799, published in 1995. After undergoing a series of revisions, this standard originated the standard known as ISO/IEC 17799.
With a second part of BS 7799 regarding the implementation of an Information Security Management System and published in 1999, it was established the standard now known as ISO 27001. This standard was established in 2005 with the publication of a new revision made in 2013 to accommodate the necessary adaptations, since resources like cloud computing has become a reality in the IT universe.
The standard requires the company to conduct a security risk analysis periodically, whenever significant changes are proposed or established. For this analysis to be done correctly, it is necessary to establish risk acceptance criteria as well as the definition of how these risks will be measured.
It should also be assessed the potential consequences of identified risks, as well as their likelihood and levels.
Top management commitment
The standard also requires senior management to demonstrate commitment to the ISMS, as well as being part of the company responsible for information security. Leaders are also responsible for ensuring that all resources for system deployment are available and allocated correctly, having the obligation to guide employees in order to make the system truly efficient.
Definition of goals and strategies
During planning, the company needs to be very clear about what its security goals are and what strategies will be established to achieve those goals. The objectives, however, cannot be generic; they must be measurable and consider safety requirements.
Resources and competences
The organization must also ensure that all the resources needed not only for implementation but also for system maintenance are available. In addition, it is necessary to establish what the necessary skills are and to make sure that the persons responsible are qualified enough, even with supporting documentation.
Documenting the information
The standard requires all information to be properly documented, with identification, definition and format. The information needs an update whenever there is a change in the initial definitions of the project, being necessary the changes to be approved, before being formalized and consolidated.
Tracking the performance
At that moment, the objectives defined in previous steps should be measured and monitored, through indicators that allow an analysis of efficiency of the system.
Once the system goals are achieved, the company needs to implement and maintain a system of continuous improvement to correct nonconformities. This improvement can be made, for example, applying critical management reviews and also internal audits.
What are the advantages of receiving ISO 27001 certification?
As an internationally recognized certification, ISO 27001 brings advantages not only for the management of information itself, but also to the company as a whole. The main advantages include:
- Reducing the impact and occurrence of risks by prior identification;
- Increased reliability regarding the company, since customers know their data is safe;
- Better adaptation to changes, since all information is documented and management is optimized;
- Improvement of internal organization;
- Attendance to standards required by clients and the law;
- Gaining competitive advantage in general.
What does it take to get certified?
In order to become certified, it is necessary for the company to immerse in the scope of the ISO standard and begin the process of adapting its structure, seeking to meet the requirements set forth in the standard. Most of the companies opt for the contraction of specialized consultancies, to assist in the certification process.
- Scope of the ISMS;
- Security, management and risk treatment policy;
- Proof of competence of personnel responsible for the system;
- Operational planning, including continuous improvement;
- Documentations that make clear the policies of confidentiality, relevant laws, procedures in situations related to information management and more;
- Documented decisions on risk treatment;
- Results of internal audits made after the initial changes;
- Proof of absence of non-compliance with standard-related nonconformities, with changes made after the results of internal audits.
After implementing the ISMS, the company can start the phase of auditions for certification. Usually the audition process starts with a pre-audit request. The pre-audit follows the same steps as the Certification Audit, including opening meeting, investigation, reporting of nonconformities, and closing meeting. It is worth mentioning that the request for pre-audit is optional, being at the discretion of the company its execution.
The audits for ISMS certification are carried out in two stages, starting with the documentation audit, also known as phase 1, continuing on the certification audit, known as phase 2, each with a specific scope.