Information is a valuable asset that can make or break your business. When properly managed it allows you to operate with confidence. Information security management gives you the freedom to grow, innovate and broaden your customer-base in the knowledge that all your confidential information will remain that way
ISO/IEC 27001 is the international standard for information security management. It outlines how to put in place an independently assessed and certified information security management system. This allows you to more effectively secure all financial and confidential data, so minimizing the likelihood of it being accessed illegally or without permission.
As a part of any ISO 27001 compliance initiative, it is necessary to classify all the information within the organisation with a classification. There are many different solutions for doing this, either simply adding a footer to a Word document or having stamps to mark documents with the appropriate level of classification. The problem with these solutions is that they are open to human frailty and error. But there is a solution to this problem, information classification software
ISO 27001 allows organizations to define what parts of its overall ecosystem are in scope for compliance. Organizations must then create an Information Security Management System (ISMS), which includes a number of documents and controls, as described in ISO 27002.
ISO defines a scope which is detailed in a statement of applicability (“SOA”) around which security controls are built. Whilst it would be easy to look at ISO 27001 requirements and see that only a few of them directly mention application security, managers and internal compliance teams should understand that it is important to first determine the scope and then build security around it.
ISO 27001 covers the following:
- Personnel security
- Organization of information security
- Human resources security
- Physical and environmental security
- Communications & operations management
- Systems development and maintenance
- Access controls to provision and monitor access to information
- Security incident management
- Business continuity management
- Compliance with applicable legal and industry security standards