ISO27001 Information Security System
2021-05-07
Introduction to ISO27001
ISO27001 Information Security Management Practical Rules ISO/IEC27001 is the predecessor of the British BS7799 standard, which was proposed by the British Standards Institute (BSI) in February 1995 and revised in May 1995. BSI revised the standard again in 1999. BS7799 is divided into two parts: BS7799-1, Information Security Management Implementation Rules BS7799-2, Information Security Management System Specifications. The first part provides recommendations for information security management for the personnel responsible for initiating, implementing or maintaining security in their organization; the second part explains the requirements for establishing, implementing and documenting an information security management system (ISMS), The needs of the organization shall implement the requirements of security controls.
ISO/IEC27001 gives recommendations on information security management for those who are responsible for initiating, implementing or maintaining security in their organization. The standard provides a public basis for the development of organization's safety standards and effective safety management practices, and provides trust for interactions between organizations.
The standard states that "just like other important business assets, information is an asset." It has value to an organization and therefore needs to be properly protected. Information security prevents various threats to information to ensure business continuity, minimize the risk of business damage, and maximize return on investment and business opportunities.
Information security is achieved by implementing a set of appropriate controls. Control can be policies, conventions, procedures, organizational structures, and software functions. These controls need to be established to ensure that the specific security goals of the organization are met.
Benefits of implementing ISO27001
1. Meet the requirements of laws and regulations
Obtaining the certificate can indicate to the authority that the organization has complied with all applicable laws and regulations. Thereby protecting the information system security, intellectual property rights, and trade secrets of enterprises and related parties.
2. Maintain the company's reputation, brand and customer trust
The acquisition of certificates can strengthen employees’ information security awareness, standardize organizational information security behaviors, and reduce unnecessary losses caused by human causes.
3. Fulfill information security management responsibilities
The acquisition of the certificate itself can prove that the organization has made fruitful efforts in security protection at all levels, and that the management has fulfilled the relevant responsibilities.
4. Enhance employees' awareness, sense of responsibility and related skills
The acquisition of certificates can strengthen employees’ information security awareness, standardize organizational information security behaviors, and reduce unnecessary losses caused by human causes.
5. Maintain continuous business development and competitive advantage
The establishment of a comprehensive information security management system means that the various information assets on which the organization’s core business relies are properly protected, and an effective business continuity plan framework has been established to enhance the organization’s core competitiveness.
6. Realize risk management
It helps to better understand the information system, find the existing problems and protection methods, ensure that the organization's own information assets can be properly protected under a reasonable and complete framework, and ensure the orderly and stable operation of the information environment.
7. Reduce losses and reduce costs
The implementation of ISMS can reduce the loss to the organization due to potential security incidents. When the information system is attacked, it can ensure the continuous development of the business and minimize the loss.
Which industries does ISO27001 apply to?
It is applicable to organizations of various types, sizes and characteristics (for example: commercial enterprises, government agencies, non-profit organizations, etc.), and specifies the implementation requirements of security control measures tailored to meet the needs of different organizations or their departments. The following examples illustrate the different categories of risks.
1. Specific risk categories applicable to all organizations:
1) Salary, pension, health and safety, organizational files, internal and inter-departmental information, etc.;
2) Any other personally identifiable information;
3) Any other commercially sensitive/critical information, such as R&D information, design information, customer organization details, financial results
4) With forecasts, business plans, intellectual property rights, manufacturing processes, etc.
2. Specific risk categories applicable to government sensitive and/or critical information:
1) Public information;
2) E-government application;
3) Citizen information held, for example, health, relief funds, taxes, files, etc.;
4) Information held by government suppliers and manufacturers, such as information and communication technology (ICT) design, facilities, products, services, etc.
3. Specific risk categories applicable to the type of organization:
1) Corporate governance-listed companies (and possibly other large entities).
2) Specific risk categories applicable to the industry:
3) Health care;
4) Education;
5) Aerospace;
6) Telecommunications;
7) Financial services;
8) Charities and non-profit organizations.
