Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO/IEC 27001 involves three steps of implementation:
- Creation of a management framework for information. This sets the direction, aims and objectives of information security and defines a policy which has management commitment.
- Identification and assessment of security risks. Security requirements are identified by a methodical assessment of security risks. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks.
- Selection and implementation of controls. Once security requirements have been identified, controls should be selected and implemented. The controls need to ensure that risks are reduced to an acceptable level and meet an organisation’s specific security objectives. Controls can be in the form of policies, practices, procedures, organisational structures and software functions. They will vary from organisation to organisation. Expenditure on controls needs to be balanced against the business harm likely to result from security failures.
One section of the actual standard provides guidance on its use.
Adopting ISO/IEC 27001 cannot make your organisation immune to security breaches. But it will make them less likely and reduce the consequential cost and disruption if they do occur.
