Security of information is essential for reliability, and perhaps even the survival of the organisation. Every IT infrastructure uses data clusters for storing the information and they are often being targeted by attackers who want to infiltrate their resources for many different reasons, quite often financial. It’s not as it use to be years ago where we had to deal with individual or group of individuals who where gaining access to classified documents for fun. Nowadays there are organisation having a proper managers and directors who hire programmers and make business by breaking into systems and stealing personal data. The security became even more important as much as complicated to fight as what we call now cybercrime.
ISO 27001/2 helps to manage a valuable resource of information and protects it.
ISO 27001/2 is the international standard that specifies requirements for information security management systems (ISMS) and it has been developed to ensure the selection of adequate and organised security measures are implemented at least at minimum level.
This helps in protecting information and give confidence to users, managers and directors of company that has implemented it. The standard process is based on the method of establishing, implementing, operating, monitoring, testing, maintaining and improving Information systems.
(Calder A., et al. Information Security Risk Management for ISO 27001/ISO 17799 ,2007)
ISO 27001 areas
• Security policy – controls the security structure with law and business requirements, it’s including two parts: information security policy document which shows overall approach and dedication of the organisation to their information security. Second part is the review of information security policy which is based on the first document and shows ongoing progress.
• Organization of information security – is quite detailed and important as it has ability to manage the information security within the company. It’s based on authorisation and accountability – rights are assigned to the job descriptions. Documents the rights for external services like auditors and provides user agreements and risk assessment for both internal and external authorities.
• Asset Classification and Control – is a set of policies which helps with protecting company assets. Provides some classification for the assets so it is obvious which information should be protected more than the other and also policies on which some assets may need to be disposed.
• Personnel Security – addresses a ways to reduce a risk based on human interactivity with the system. As nowadays we refer to code of conduct or terms and conditions of employment that are some of its implementation. It also defines rules in case of violation of its implemented policies.
• Physical and Environmental Security –as it can understood by its name controls the risk based on the premises of the organisation. All sets of health and safety tests, environmental hazards and most importantly it need to be classified so that for instance a payroll officer hasn’t got physical access to Data Centre unless his job description entitles him to. It contains a mechanism which should be triggered in case of a security breach.
• Communication and Operation Management – includes a general ability to control proper functionality of all the assets and operations. Sets of operational procedures, rules to reduce the risk in case of malicious software being detected and network management. It should also contain information about incident management and ways to evaluate the security of current state of the system.
• Access Control – it simply means user and host control. Mechanisms to register and review user accounts, define network routing and segmentation which is also a form of access control for instance you can listen to the network traffic if you are on different subnet. Its host access control is for instance implementation of connection timeouts. One of the most modern sets of policies are set towards mobile computing due to its growth over the years.
• System Development and Maintenance – addresses set of rules to make sure that appropriate security controls are implemented and maintained. Few sub components are cryptography, software integrity and development security all of which are ensuring the integrity and reviewing the development process.
• Business Continuity Management – includes set of policies in case of service interruptions, set of strategies and counteraction in case of that happening.
• Compliance – as it can be understood by its name is a set of policies in place to make sure that everything is up to some sort of standard, it includes things like Data privacy often seen on commercial websites as well as many internal documents such as intellectual property rights.
(audit-is.com.ISO 27002 (ISO 17799), 2006)