ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS).

The ISO 27001 standard and ISMS provides a framework for information security management best practice that helps organisations to:

  • Protect client and employee information
  • Manage risks and information security effectively
  • Achieve compliance with regulations such as GDPR
  • Protect the company’s brand image

What is the benefit of ISO27001?

By achieving certification to ISO 27001 the organisation will be able to achive numerous and consistent benefits including:

  • Keeps confidential information secure
  • Provides customers and stakeholders with confidence in how companies manage risk • Allows for secure exchange of information
  • Allows companies to ensure they are meeting your legal obligations
  • Helps companies to comply with other regulations (e.g. SOX)
  • Provide companies with a competitive advantage
  • Enhance customer satisfaction that improves client retention
  • Consistency in the delivery of the service or product
  • Manages and minimises risk exposure
  • Builds a culture of security
  • Protects the company, assets, shareholders and directors

In DMZ IT we believe that efficiency is the value which guides our approach to everything we do. Therefore, we prefer to take a custom made and individually designed approach for each customer. There is no such thing like “one size fits all”. Everything we do is in the context of the business activities and the risks it faces.

We have created Five Steps approach to Information Security:

  • Step 1 – Assessment of the environment
  • Step 2 – Information Assets Management
  • Step 3 – Risk Assessment
  • Step 4 – Risk Mitigation
  • Step 5 – On-going System Improvement Process

At the first step we would establish exactly what the customer priorities for information security are:

  • What are the most important business objectives
  • Which processes are critical to meet business objectives
  • What the legal environment business is operating– what are the contractual, legal or regulatory requirements related to information security

The next, second step is to identify which of the information assets are critical to support business objectives. That would create a scope for Information Security Management System implementation.

Once we know what customer exact requirements are and we know what we need to protect, we can move to step three – Risk Assessment. We use different methodologies depending on customer specifics e.g.  ISO27005, RiskIT, M_o_R or COSO. Very often we customise them so they become a “tailor made suit”.

Step four in our process is to prepare Risk Treatment Plan. In this phase we decide what to do with existing risk to minimize it to the level within customer tolerance level. We can adopt a number of strategies:

  • Application of relevant controls like procedures and policies, putting in place suitable technical solutions, training, etc.
  • Risk transfer – shifting risk to the third party using a form of support, guarantee or insurance contract
  • Risk avoidance – taking steps to remove hazard and exposure, engaging in alternative activity or otherwise
  • Combination of the above

The entire effort would quickly become outdated without the fifth step – On-going System Improvement Process.

On-going System Improvement Process ensures that newly implemented system will remain valid and will provide benefits to the organization. We adopt Plan-Do-Check-Act approach as recommended in ISO27001:

  • PLAN – Establish policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with overall policies and objectives of an organization.
  • DO – Implement and operate the policy, controls, processes and procedures.
  • CHECK – Assess and, where applicable, measure process performance against policy, objectives and practical experience and report the results to management for a review.
  • ACT – maintain and improve the ISMS. Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

Posted by Derek Mizak

Cyber security consultant working on application of Artificial Intelligence to cyber security practice, Digital Forensic Investigator, ISO27001 lead auditor.