Professional Documents
Culture Documents
3.0 Why not ISO: 27001? (For whom ISO: 27001 is not a useful tool)
ISO 27001 is not useful for those who:
1. Do not want to spend money.
2. Believe in monopoly supplier.
3. Do not care for customers.
4. Have unlimited resources.
5. Do not believe in involving people.
6. Do not want to train employees.
7. Enjoy fire fighting and quick fixes.
8. Believe that quality does not pay.
9. Do not want to commit anything on paper.
10. Expect miracles to overcome challenge.
11. Have other sources of income and don't want to grow.
The ISO 27001 specification envisages five core elements for ISMS, for the purpose of
certification by third parties. These are:
1. Commitments and Policy
An organization should define its ISMS policy and focus on what needs to be
done for ensuring continual ISMS performance. It should also ensure
commitment to the policy.
2. Planning
An organization should formulate a plan to fulfill its ISMS policy.
3. Implementation
For effective implementation an organization should develop the capabilities
and support mechanisms necessary to achieve its ISMS policy, objectives
and targets.
4. Measurements and Evaluation
An organization should measure, monitor and evaluate its ISMS
performance.
5. Reviews and Improvement
An organization should review and continually improve its ISMS, with the objective
of improving its overall ISMS performance.
5.4 Objectives of revisions in ISO standards
Enhance an organization’s ability to satisfy customers.
Maintain relevance, provide integrated approach to organizational management,
and integrate with other management system standards.
Reflect needs of all user groups and increasingly complex operating environments.
Increase confidence in an organization's ability to provide conforming goods and/or
services.
Enhance customer confidence in information security management systems based
on ISO 27001.
Set a consistent foundation for next 10 years.
All the progressive units in India, which are in the IT sector today, have adopted some
system of obtaining the data security. However, in this system there are generally a lot
bugs and loopholes. Experience of other industries in India and outside India shows
that extensive efforts on the part of each and every person in the organisation are
needed for upgrading the existing system to meet the requirements of ISO 27001
ISMS. In revised ISO 27001:2013 standard, approach of risk identification and taking
necessary actions are required.
The time required for installation of this system in any company may vary depending
upon their present status and work culture. The total cost includes the cost of
consultancy, fees of certifying body, resource requirement, etc., depending on
infrastructure available with the company’s established system and complexity of work
involved.
Annexure - 1
The consequent changes in the structure and terminology do not need to be reflected in the
documentation of an organization’s information security management system.
The scope of the standard states, in part, that this International Standard is applicable
where an organization needs to demonstrate its ability to consistently provide products and
services that meet customer and applicable statutory and regulatory requirements and aims to
enhance customer satisfaction. No requirement of this International Standard can be
interpreted as extending that applicability without the agreement of the organization.
One of the key purposes of a information security management system is to act as a preventive
tool. Consequently, this International Standard does not have a separate clause or sub- clause
titled 'Preventive action’. The concept of preventive action is expressed through a risk-based
approach to formulating information security management system requirements.
The risk-based approach to drafting this International Standard has facilitated some
reduction in prescriptive requirements and their replacement by performance-based
requirements.
4 Applicability
Where a requirement can be applied within the scope of its information security management
system, the organization cannot decide that it is not applicable. Where a requirement
cannot be applied (for example where the relevant process is not carried out) the organization
can determine that the requirement is not applicable. However, this non-applicability cannot be
allowed to result in failure to achieve conformity of products and services or to meet the
organization’s aim to enhance customer satisfaction.
5 Documented information
Annexure - 2
Plan what you do. (For any activity planning is important, and you have to plan for
resources / objectives / activities / controls / procedures, etc. for ISMS)
Do what you say. (Implement your plan; deploy resources and confirm with plan)
Check what you do. (Measure and monitor your activities and results for conformity and
effectiveness of system)
Act. (Analyze / review / decide / change / improve effectiveness)
Annexure - 3
Overall aim of ISO 27001:2013 standard is to add value by planning and controlling
processes.