ISO 27001 Information is one of the most important values of an organization in ensuring business continuity. Although many assets can be recovered in case of loss, the lost information has no monetary equivalent. For this reason, the importance of information and the need to protect information are increasing day by day in today's constantly changing and developing conditions.
Information; It can be used and stored in written and electronic media, orally, in the memory of employees and in many other ways. Many of these usage patterns may become unavailable or change over time due to technological development. Because of this change and development, information security must be constantly questioned and controlled. The general meaning of information security is to protect the confidentiality of information, to ensure its integrity and availability.
Why ISO 27001
The ISO 27001 management system is aimed at ensuring corporate information security. It is a management system that includes personnel, process and information systems and is supported by top management. It aims to protect information assets and provide adequate and proportionate security controls in order to increase the confidence of interested parties. The ISO 27001 information security management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
ISO 27001 and ISO 27002 information security management system standards are based on the BS 7799 standard. BS 7799 BSI (British Standards Institute) was published in 1995 and consists of two parts. The first chapter, BS 7799-1, contains best practices for information security management. In 2000, the standard was accepted by ISO. It has been published as ISO 17799 Information Technologies-Practical Principles of Information Security Management.
ISO 27001 Development
ISO 17799 was included in the ISO 27000 series as ISO 27002 in 2007. The second part was published by BSI in 1999 under the name of BS 7799 2 Information Security Management System Requirements. The standard focuses on how an ISMS should be created. It was published by ISO in 2005 under the name of ISO 27001 Information Security Management System Requirements. The latest revisions of ISO 27001 and 27002 standards were published on September 25, 2013.
ISO/IEC 27001:2013 defines the requirements for the establishment, implementation, operation and continuous improvement of an information security management system within an organization. It also includes requirements for the assessment and improvement of information security risks related to the organization's needs.
The requirements given in ISO/IEC 27001:2013 are general and are intended to be applicable to all organizations, whatever their type, size and nature. ISO 27001 requires organizations to prepare risk management and risk treatment plans, roles and responsibilities, business continuity plans, and emergency management procedures and maintain these records in practice.
An information security policy including all these activities should be published by the organizations and their personnel should be made aware of information security and threats. Information security management is a living process. In this process, the selected control objectives are measured, the applicability and performance of the control are continuously monitored, and this can only be achieved with the active support of the management and the participation of the personel.
Documents Required for ISO 27001 Application
Security management system manual. Why the institution needs this system, the risks of information protection, possible security gaps, how to manage the risks and the creation of information security policies are explained here.
Information security management system policy. The policy is based on the decision of the top management of the organization. These policies, which are directly related to the field of organizational activities, include general policies, information access policies, password security policies, information system backup policies, server security policies, data destruction policies, personnel security policies, visitor admission policies and physical.
Information security management system program. Risk management procedures, incident breach procedures, disciplinary procedures, business continuity procedures, and similar procedures that the organization should prepare in accordance with system requirements.
Position presentation. The authorities and responsibilities of employees regarding information security should be included in their job descriptions.
Information security instructions. Preparation of system computer room operating instructions, VPN security instructions, server maintenance instructions and similar application instructions according to the above process.
In order to ensure the smooth and systematic operation of the system, many new forms need to be put into practice.
ISO 27001 Standard
The ISO 27000 standard is part of the growing series of ISO/IEC ISMS standards. ISO 27000 standard series; ISO 27001, ISO 27002, ISO 27003, etc. It is a set of standards that includes international standards covering topics such as information technology-security technology-information security management system overview and definitions.
The ISO 27001 information security standard, like many other technical issues, creates a complex web of terms. Relatively few researchers have ventured into the search to define the full meaning of these terms, downplaying the unacceptable standard method and the assessment and certification process that can lead to confusion. The ISO 27000 standard was developed by a subcommittee of the Joint Technical Committee established in collaboration with the International Organization for Standardization and the International Electrotechnical Commission.
What are ISO 27001 Information Security Standards?
Information security standards are as follows;
- ISO IEC 27001:2013 Information Security Management System-General Conditions (certified according to this standard)
- ISO IEC 27002: 2013 Code of Practice Information Security Control
- ISO IEC 27003: 2010 Information Security Management System Implementation Guide
- ISO IEC 27004: 2009 Information Security Management-Measurement
What are ISO 27001 Procedures?
The principles that form the basis of the ISO 27001 information security management system are as follows:
Confidentiality: Confidentiality means that access to information that needs to be protected within the organization is closed to unauthorized persons. In addition, unauthorized persons are prevented from disclosing this information. In other words, the information is confidential and must be protected.
Accessibility: Availability of information means that it can be accessed instantly by authorized personnel as long as the information is needed. Even if the organization encounters problems, the information should be accessible and ready. Here, people who have access to information can access information.
Integrity: The integrity of the information means that the information is open to authorized personnel at the source, is not changed, is not damaged and is not consistent. If the information is partially changed or damaged, the completeness of the information cannot be mentioned.
Organizations that attach importance to information security and aim to protect information should classify the points where information is located and determine information protection methods. The information security management system is a system that provides and maintains this security.
How should the ISO 27001 Certification Process be?
After an organization has established its ISO 27001 information security management system, it will naturally want a document to prove it. However, the work does not end with the establishment of the information security management system. Because the purpose of setting up this system should not be just to get files. Because after the system is installed, it must be operated and monitored so that the expected benefits from the system will begin to emerge in the long run. The cycle of the quality system will always exist.
According to established control principles, the risks that may exist in information protection should always be kept under control, measures should be taken to eliminate the risks or at least reduce their effects, if new risks arise, these risks should be evaluated and the unavoidable risks should be evaluated. In addition, among these risks, acceptable risks should be evaluated and approved by senior management. This process will always exist.
Organizations that meet all the requirements of the ISO 27001 standard can now obtain certificates by applying to a certification body. The certification body must be an accredited body. When the organization receives a request, it first starts the review of the system documents it will request.