ISO 27001, the international standard for Information Security sets out requirements for managing the system in the same way as the other ISO management standards; namely Clauses 4-10 which cover planning, operations, checking and improvement. In addition, and different to the other standards, ISO 27001 requires that each organsiation compiles a Statement of Applicability against 14 key control points. These control points, which are defined in the Appendix of the ISO standard should be used against the risk assessment processes and provide a thorough and comprehensive diagnostic of the risk treatments that should be adopted by the organisation.
The majority of the control points are broken down into further sub-controls, each with their own clear objective. Guidance with the ISO 27001 family of Standards provides an insight into the types of actions that would be expected by the Organisation if the control is applicable. The 14 controls points are:
Control Point | Description |
---|---|
Information Security Policies | to ensure Information Security policies are in place and kept up to date through an effective review process |
Organisation of Information Security | to ensure roles and responsibilities are clear for Information Security management, and policies are clear for secure use of mobile devices and teleworking. |
Human Resource Security | to ensure information security processes are in place to manage information security issues related to personnel from a period prior to employment right through to post employment. |
Asset Management | to ensure that responsibilities for Asset management (both electronic and physical assets, datasets and their classification, and processes for media handling. |
Access Control | to ensure that policies are in place to manage users, user access to data and information is controlled, including log-in and password controls |
Cryptography | Controls to ensure that effective use of cryptography is in place |
Physical and Environmental Security | to ensure that physical access to information assets is controlled in order to prevent damage and interference. This includes secure access policies and also the selection and management of physical assets. |
Operations Security | to ensure that secure operations are in place, including the provision of malware protection, backups, relevant logging and monitoring of data events, and the management of vulnerabilities where they exist. |
Communications Security | to ensure that network security and secure transfer of information internally and externally where required. |
System acquisition, development and maintenance | to ensure that information security is an integral part of any software or systems that are adopted or developed by the organisation. This also covers those systems that transfer information assets across public networks. |
Supplier Relationships | to ensure that any information assets accessible by suppliers is protected; this includes data that might be accidentally seen as well as data used by suppliers. It is important for this area of the Standard to consider suppliers that might access and see data, such as cleaning and maintenance staff, as well as outsourced IT providers. |
Incident management | Controls to ensure that effective processes are in place to manage any information security incidents such as breaches, weaknesses or other activities that could compromise information security. |
Business Continuity | to ensure that in the event of disruption, that Information Security is embedded so that information assets remain secure. This might also include provision for redundancies, so that servers can failover. |
Compliance | to ensure that all applicable legal, statutory, regulatory or other obligations applicable to Information Security are complied with. This could include ensuring the companies own intellectual property rights are protected. |
Related Articles
Comparing Cyber Essentials to ISO 27001Adam has been working on Quality and Environmental management systems for most of his career in small, medium and corporate organisations. A keen advocate of the ISO approach as a platform for improvement, Adam ensures that systems are practical and useful for Managers and Staff to use.
Following a number of years working on software development projects, Adam has diversified into Information Security and Business Continuity management. Keen to formalise his industry experience, he is currently undertaking a Diploma in Business Continuity Management at Buckingham University.
Adam has a PhD from Cranfield University and now supports the MSc Environmental Management programmes through the advisory panel and visiting lectures.
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:
CONTACT USTel: 01908 255 525
Email: sales@spedan.co.uk