Foto af Metthew Henry

Management system

ISO/IEC 27001 Information security management

Owing to increased digitalization, the risk of cyber-attacks and other types of IT crime increases accordingly. Therefore, ISO 27001 on information security is a standard that every company or organization should consider.

Buy the standarden in our webshop

What is ISO/IEC 27001?

ISO 27001 is an international management standard on information security. The standard is a management tool that helps your company protect valuable information, including personal data, in a secure and reliable way. ISO 27001 formulates requirements of risk management, process documentation and the division of responsibility regarding information security, etc. 

The purpose of ISO/IEC 27001 is to get an effective management tool for information security that fits companies’ specific needs. Moreover, is it to ensure maintenance of effectivity through a process of continuous improvements. This means that information security is continuously updated so the company can manage challenges in a business world under constant change.

Contact

Berit Aadal
Berit Aadal Chefkonsulent | Chief Consultant
Standardisering | Digital & Bæredygtighed
E: baa@ds.dk
T: 39 96 62 96

Buy the standard ISO 27001

You can buy the standard ISO/IEC 27001:2022 in our webshop.

General Data Protection Regulation (GDPR)

The new General Data Protection Regulation was passed by the UN with effect on May 25, 2018 and is to be included in the UN countries’ own legislation, however with room for supplementing national legislation.

The new UN requirements overlap with the requirements in the ISO/IEC 27001 standard on information security in several areas. The new data regulation sets stricter requirements for the treatment and protection of personal data. With these standards, you and your company will be well prepared for complying with the new requirements.

Get professional guidance

We assist private as well as public companies and organizations. Get guidance to identify your current situation for information security or get knowledge about development and improvement opportunities for existing systems.

Contact Anders Linde, chief consultant at Danish Standard, via e-mail ali@ds.dk, or on phone +45 39966329. Anders has more than eight years of experience using and implementing ISO/IEC for information security. Anders has provided guidance for the Danish Defence, the Courts of Denmark, the City of Copenhagen among others.

Are you aware of your company’s risks?

ISO/IEC 27001 provides requirements for establishing, implementing, maintaining and continuing improvements of an information security management system (ISMS). The implementation of an ISMS is a strategic decision for an organization. It is important that the management system is part of and is integrated with the organization’s processes and overall management structure. Additionally, the system should take account for the information security in the planning of processes, information systems and controls.

Today, all public companies are obliged to follow the principles in the ISO/IEC 27001 standard. Moreover, the standard is a good reference point for managing requirements in the new General Data Protection Regulation that became effective in May 2018.

Legislation and requirements concerning information security

Some laws and regulations are common for most countries, e.g.:

  • Legislation on data protection and data security
  • Legislation on copyrights, patents, trademarks and digital rights
  • Legislation on computer misuse or hacking
  • Legislation on use of electronic signature (especially important for security of online payments)

Many new laws and regulations include requirements for information security that a company must comply with. Some professional insurance companies now require documentation to keep track of information security before offering insurance coverage.

Recommendations for working with ISO 27001

  1. Establish an IT-security committee comprised of business-people and IT-representatives. It is important that the representation is not solely of a technical nature, as IT and information security is about pointing out faults and deficiencies at the IT department or its suppliers. Moreover, it is decisive that top management show support – preferably by holding the position as chair of the Steering Committee. The committee’s most valuable task is first to specify and then manage Information Security Governance in the company. E.g. deciding on a strategy and vision and specifying the organization and the resources to be allocated to the area.
  2. Avoid trying to reinvent the wheel – use the standards that already exist (DS/ISO and ISF Standard of Good Practice). They are all carefully considered and tested in thousands of places. You can always adjust them to fit your company.
  3. Hire a person whose primary job is information security. Studies indicate that companies, following this recommendation, experience significantly fewer serious occurrences. A sense of ownership and clearly defined roles are fundamental.
  4. Create awareness around the subject. It is important to promote good practices and ethics among the users, e.g. in relation to the use of internet, social media, managing sensitive personal data both in small and greater numbers.
  5. Allocate the necessary resources that match the company’s size and maturity. One single person cannot solve an IT-security problem in a company of 10,000+ employees, though it may be enough to solve the problem in a small company.

Foto af Clay Banks

Main principles of information security

Information security must ensure confidentiality, integrity and accessibility of information via help from a risk management process and ensure that stakeholders trust that company risk is managed accordingly.

Confidentiality

Protection of information against unauthorized transmission or access. For instance, protection against unauthorized access to a person’s credit card or financial data the person expects stored in a confidential way or to secret design specifications, research results, market forecasts and analyses.

Integrity

Protection of information against unauthorized change or disruption, also unintended disruption and protection of the accuracy and reliability of data. For instance, a person’s medical records or personal data or company finances must be accurate. This includes information that is crucial for a commercial system to function effectively, such as a company’s pay checks, billing and/or stock control.

Accessibility

Protection of information against unauthorized access denial for people who have authorized access. An example of this is when a company’s database server has been exposed to a DoS-attack (e.g. caused by a virus), the information in the database can become inaccessible which could result in a major system breakdown. Alternatively, theft of mobile units, such as laptops, may result in the owner also losing access to the information kept inside the computer.

Why ISO/IEC 27001? How valuable is it?

With a systematic approach to risk management, the organization can invest in information security where it makes most sense and the best results, whether this involves protection of the organization’s physical framework, IT-technical controls or a change in employee behavior. 

This will contribute to

Competitiveness: Better structure and prioritization. Improved understanding and responsibility awareness in all business processes.

Streamlining: Better balance between quality, control and business, including documented business practices and overall more operability and efficiency.

Job satisfaction: Overview and job security. Common focus and baseline.

Compliance: Compliance security concerning laws, governmental requirements, supplier contracts and implemented best practices.

Goodwill: Increased trust for customers, suppliers, partners and other stakeholders. Better insurance terms.

More information

ISO/IEC 27002 – Information security controls

ISO/IEC 27002

ISO/IEC 27002 – Information security controls

ISO/IEC 27002 provides guidance on selecting controls for implementing an information security management system.

SoA document – what is a SoA document

Information security

SoA document – what is a SoA document

In the SoA document, the organization selects from a list of possible measures which measures it wants and does not want to implement to address the identified risks.

ISO/IEC 27701 Privacy information management

ISO/IEC 27701

ISO/IEC 27701 Privacy information management

The standard on privacy information management, ISO/IEC 27701, ensures proper processing of personal data.