Scribd Logo
Upload

Welcome to Scribd!

  • What Is ISO 27001 PDF

    Uploaded by

    Richard Porter
    7 views3 pages

    Original Title

    What is ISO 27001.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views3 pages

    What Is ISO 27001 PDF

    Uploaded by

    Richard Porter

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Fact Sheet: Introduction to ISO 27001 Information Security

    Management Systems
    ISO 27001:2013 and data protection law

    Whats the problem?

    In 2015 PricewaterhouseCoopers released their 2014 survey on the Global State of Information
    Security and revealed that the number of reported information security incidents rose, on average,
    by 66% each year over a 5 year period. The survey also reported that, in 2014, the total number of
    reported security incidents had increased to 42.8 million across the world.

    The UK Information Commissioners Office 2015/2016 annual report records that it received 16,388
    reports of potential data security breaches during the year.

    Meanwhile, in June 2016 alone, typical breaches being reported by databreaches.net included:

    360 million MySpace accounts hacked


    45 million personal records stolen from domain host Verticalscope
    Archived paper copies of patient medical records in East Riding of Yorkshire lost by a private
    storage company
    3000 patient medical records inappropriately accessed at West Wales General Hospital by
    a nurse

    Clearly, our data is leaking at an alarming rate and organisations that have a duty to protect it could
    do much more.

    EU & UK Law

    The Data Protection Act has been in force since 1998 and lays down some principles for data
    security:-

    design and organise your security to fit the nature of the personal data you hold and the
    harm that may result from a security breach;

    be clear about who in your organisation is responsible for ensuring information security;

    2016 The HSQE Department Ltd t/a Construction Certification


    Registered Office: 2, Stafford Place, Weston-super-Mare, Somerset, BS23 2QZ

    http://www.thehsqedepartment.com
    VAT Registration Number: 107156144
    Fact Sheet: Introduction to ISO 27001 Information Security
    Management Systems
    make sure you have the right physical and technical security, backed up by robust policies
    and procedures and reliable, well-trained staff; and

    be ready to respond to any breach of security swiftly and effectively.

    Moreover, the EU General Data Protection Regulation (GDPR) was ratified in April 2016. This
    regulation takes data protection to a significantly higher level and organisations that hold personal
    data on citizens of member states have until 25th of May 2018 to comply with it. The UK
    Information Commissioners Office has stated its opinion that, even if the Regulation isnt passed
    into UK law, it will still be relevant for many organisations here. GDPR is designed to produce a
    Single Digital Market by harmonising the existing 28 sets of national data protection laws into one
    set of requirements. Fines for breaching GDPR are potentially serious for organisations that lose
    data and will be to up to 4% of turn-over, or 20 million, whichever is higher.

    Who needs to comply?

    Quite simply any organisation that holds data that, on its own or along with other accessible data,
    can be used to identify an individual in the UK or the EU.

    So what is ISO 27001?

    ISO 27001 (formally ISO/IEC 27001:2013) is an international standard that provides a specification
    for an information security management system (ISMS), which is a framework of policies and
    procedures that includes all of the legal, physical and technical controls involved in an organisation's
    information risk management processes.

    The ISO 27001 standard uses a top-down approach to the management of data security risks, which
    can be used with all types of media for data storage. The specification defines a six-part planning
    process:-

    1. Define a security policy.


    2. Define the scope of the ISMS.
    3. Conduct a risk assessment.
    4. Manage identified risks.
    5. Select control objectives and controls to be implemented.
    6. Prepare a plan that shows how the controls manage the risks that have been identified.

    ISO 27001 includes details for documentation, management responsibility, internal audits, continual
    improvement, and corrective action. The standard requires cooperation among all sections of an
    organisation. Although the 27001 standard isnt prescriptive about information security controls, it
    provides a checklist of 114 measures that should be considered.

    How can ISO 27001 help my organisation?

    The PWC research paper analysed the 20 biggest data breaches during 2014-2015 with the aim of
    identifying what companies did wrong and what should be done to address the weaknesses. Victims
    generally had suitable technical controls over the information, such as firewalls, antivirus and similar
    2016 The HSQE Department Ltd t/a Construction Certification
    Registered Office: 2, Stafford Place, Weston-super-Mare, Somerset, BS23 2QZ

    http://www.thehsqedepartment.com
    VAT Registration Number: 107156144
    Fact Sheet: Introduction to ISO 27001 Information Security
    Management Systems
    safeguards but these werent sufficient because technology, on its own, wont protect data. An
    important finding of the survey was that none of major victims were certified to ISO 27001 at the
    time of the data breaches. They were either not implementing ISO 27001 at all, or were failing to
    implement it fully. ISO 27001 goes beyond technical controls and takes into account training,
    awareness and the behaviours of the people in the organisation.

    The British Standards Institute (BSI) has published a white paper that shows how ISO 27001 can
    provide a framework with which to comply with the EU General Data Protection Regulation. Whats
    more, BSI commissioned a research paper by the business school of Erasmus University that shows:-

    87% of organisations with ISO 27001 are positive or very positive about its benefits
    78% of certified organisations reported improved levels of legal compliance
    56% or organisations reported a reduced number of security breaches
    47% of organisations reported a reduction on downtime of IT systems
    43% of organisations reported an increase in sales

    How can I get advice?

    The HSQE Department Ltd has years of experience helping companies to implement ISO
    management systems and so can reduce the time and cost needed to achieve certification. We can
    carry out gap analyses to identify what you need to do to comply with ISO 27001, help you to define
    a plan to implement any changes, guide the preparation of the Information Security Management
    System, carry out pre-certification checks on the compliance of your systems and manage the
    certification visit.

    2016 The HSQE Department Ltd t/a Construction Certification


    Registered Office: 2, Stafford Place, Weston-super-Mare, Somerset, BS23 2QZ

    http://www.thehsqedepartment.com
    VAT Registration Number: 107156144

    You might also like