DataSpeaks maintaining an Information Security Management System (ISMS): ISO 27001 standard.

What is the ISO 27001 standard?

ISO 27001 describes the requirements that an organization must apply to produce a model for establishing, executing, operating, monitoring, evaluating, and maintaining an Information Security Management System (ISMS). An ISMS is a framework of strategies and procedures that includes all legal, physical, and technical controls included in an organization’s information risk management processes. The ISO 27001 gives a checklist of controls that should be considered in the accompanying code of practice. This standard represents a comprehensive set of information security control objectives and a set of generally accepted good practice security controls. ISO 27001 is categorized into 12 separate sections:

  1. Introduction: It describes what information security is and why an association should manage risks.
  2. Scope: It covers high-level conditions for an ISMS to apply for all types of organizations.
  3. Normative References: This explains the correlation between ISO 27000 and 27001 standards.
  4. Terms and Definitions: It covers the complex technology that is used within the standard.
  5. Context of the Organization: It explains what stakeholders should be included in creating and maintaining the ISMS.
  6. Leadership: It defines how leaders within the organization should perform to ISMS policies and procedures.
  7. Planning: It covers how risk management should be planned crossed the organization.
  8. Support: It describes how to establish awareness about information security responsibilities.
  9. Operation: It includes how risks should be managed and how documentation should be implemented to meet audit standards.
  10. Performance Evaluation: It gives guidelines on how to control and measure the performance of the ISMS.
  11. Improvement: It explains how the ISMS should be continually updated and improved.
  12. Reference Control Objectives and Controls It provides an annex analyzing the individual elements of an audit.

What are the ISO 27001 Audit Controls?

The ISO 27001 standard lists security controls in three categories: preventive, detective, and corrective.

1) Preventive control
Goal: discourage or prevent the occurrence of problems

  • Detect problems before they occur
  • Control operations
  • Prevent an error and malicious acts

2) Detective control
Goal: Search for and identify problems

  • Use controls that detect and report the existence of an error and malicious act

3) Corrective control
Goal: Overcome the problems discovered and prevent the recurrence of problems

  • Minimize the impact of a threat
  • Overcome problems discovered by detection controls
  • Identify the causes of the problem
  • Correct errors arising from a problem
  • Modify the processing system to reduce the presence of future problems to a minimum