ISO 27001 is an international management standard on information security. The standard is a management tool that helps your company protect valuable information, including personal data, in a secure and reliable way. ISO 27001 formulates requirements of risk management, process documentation and the division of responsibility regarding information security, etc.
The purpose of ISO/IEC 27001 is to get an effective management tool for information security that fits companies’ specific needs. Moreover, is it to ensure maintenance of effectivity through a process of continuous improvements. This means that information security is continuously updated so the company can manage challenges in a business world under constant change.
You can buy the standard ISO/IEC 27001:2022 in our webshop.
The new General Data Protection Regulation was passed by the UN with effect on May 25, 2018 and is to be included in the UN countries’ own legislation, however with room for supplementing national legislation.
The new UN requirements overlap with the requirements in the ISO/IEC 27001 standard on information security in several areas. The new data regulation sets stricter requirements for the treatment and protection of personal data. With these standards, you and your company will be well prepared for complying with the new requirements.
We assist private as well as public companies and organizations. Get guidance to identify your current situation for information security or get knowledge about development and improvement opportunities for existing systems.
Contact Anders Linde, chief consultant at Danish Standard, via e-mail ali@ds.dk, or on phone +45 39966329. Anders has more than eight years of experience using and implementing ISO/IEC for information security. Anders has provided guidance for the Danish Defence, the Courts of Denmark, the City of Copenhagen among others.
ISO/IEC 27001 provides requirements for establishing, implementing, maintaining and continuing improvements of an information security management system (ISMS). The implementation of an ISMS is a strategic decision for an organization. It is important that the management system is part of and is integrated with the organization’s processes and overall management structure. Additionally, the system should take account for the information security in the planning of processes, information systems and controls.
Today, all public companies are obliged to follow the principles in the ISO/IEC 27001 standard. Moreover, the standard is a good reference point for managing requirements in the new General Data Protection Regulation that became effective in May 2018.
Legislation and requirements concerning information security
Some laws and regulations are common for most countries, e.g.:
Many new laws and regulations include requirements for information security that a company must comply with. Some professional insurance companies now require documentation to keep track of information security before offering insurance coverage.
Information security must ensure confidentiality, integrity and accessibility of information via help from a risk management process and ensure that stakeholders trust that company risk is managed accordingly.
Confidentiality
Protection of information against unauthorized transmission or access. For instance, protection against unauthorized access to a person’s credit card or financial data the person expects stored in a confidential way or to secret design specifications, research results, market forecasts and analyses.
Integrity
Protection of information against unauthorized change or disruption, also unintended disruption and protection of the accuracy and reliability of data. For instance, a person’s medical records or personal data or company finances must be accurate. This includes information that is crucial for a commercial system to function effectively, such as a company’s pay checks, billing and/or stock control.
Accessibility
Protection of information against unauthorized access denial for people who have authorized access. An example of this is when a company’s database server has been exposed to a DoS-attack (e.g. caused by a virus), the information in the database can become inaccessible which could result in a major system breakdown. Alternatively, theft of mobile units, such as laptops, may result in the owner also losing access to the information kept inside the computer.
With a systematic approach to risk management, the organization can invest in information security where it makes most sense and the best results, whether this involves protection of the organization’s physical framework, IT-technical controls or a change in employee behavior.
This will contribute to
Competitiveness: Better structure and prioritization. Improved understanding and responsibility awareness in all business processes.
Streamlining: Better balance between quality, control and business, including documented business practices and overall more operability and efficiency.
Job satisfaction: Overview and job security. Common focus and baseline.
Compliance: Compliance security concerning laws, governmental requirements, supplier contracts and implemented best practices.
Goodwill: Increased trust for customers, suppliers, partners and other stakeholders. Better insurance terms.
ISO/IEC 27002 provides guidance on selecting controls for implementing an information security management system.
In the SoA document, the organization selects from a list of possible measures which measures it wants and does not want to implement to address the identified risks.
The standard on privacy information management, ISO/IEC 27701, ensures proper processing of personal data.