Professional Documents
Culture Documents
1. Introduction
The most important asset for any organization is its information. Hence, the main concern
for an organization should be providing security for those valuable assets. Information
security is fundamental responsibility of any small or large-scale organization in order to
achieve its objectives effectively. In order to provide information security, organization
follows certain standard and their frameworks. ISO (International Organization for
standardization) is an independent, non-governmental organization which develops
standards to ensure the quality, safety and efficiency of a product, services and systems
(Wilber, 2020). There is a wide area of industry which follows ISO and information
security is one of them.
Almost every small to large scale organization are connected to internet hence, risk
associated with cyber-attacks and data breaches continue to increase. An effective
approach should help defend against both internal and external threats. ISO 27001 is the
international standard that provides the specification for an information security
management system (ISMS). It provides a model and detailed specification on reducing
an organizations exposure to information security. ISO 27001 is a part of ISO/IEC 27000
series. The main objective to establish ISO 27001 is to help organization of any industry
to protect their information in a systematic and cost-effective way by implementing
information security management system (ISMS). It is the best approach which helps
organization to mange people process and technology.
2. History
The first standard for information security was published in 1995 as BS7799. After
revising it, this document was accepted as the international standard for information
security management. Various parts of this standard were published in later years. The
second part of BS7799 was published in 1999 and this became ISO/IEC 27001:2005.
BS7799 was adopted by ISO as ISO/IEC 27001 in November 2005. Currently used
version of ISMS is ISO 27001:2013.
The organization shall determine external and internal issues that affects its ability to
achieve the intended outcomes of its ISMS. The organization shall determine the
interested parties that are applicable to the information security management system.
This may include legal and regulatory requirements. Similarly, organization shall
determine the scope of the ISMS. Lastly, organization shall establish, implement,
maintain and continually improve ISMS with the requirement of the standard.
5. Leadership:
Top management shall demonstrate leadership and commitment with respect to the
ISMS. They shall establish an information security policy. Top management shall ensure
that the responsibilities and authorities for respective roles.
6. Planning:
7. Support:
The organization shall determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement of the
information security management system. Individual working under the organization shall
be aware of the information security policy and ISMS. Organization ISMS also shall define
for competencies, awareness, communication and control of documents and records
8. Operation
Organization shall define the implementation of risk assessment and treatment as well as
controls and other processes needed to achieve information security objectives.
9. Performance evaluation
10. Improvement: