When you make the decision to really look at information security there are a number of options available to you in terms of how to do it and what standards to follow - NIST, COBIT, ISA, CIS or ISO. The great thing about ISO27001 for Information Security is that it really does cover all the bases and like the updates to ISO9001, 14001, 45001, ISO 27001 follows the new framework structure, so it has all of the same clauses, giving you the ability to integrate this standard into your existing Quality Management Systems and make use of existing processes and controls such as auditing, change management, management reviews and so on.
The Principles of an ISO27001 Information Security Management System
Before diving into looking at the actual standard, which like the ISO9001 standard we'll walk through clause by clause in a series of blog posts, we thought it was really important to start with a section on the main principles of good information security. That way when we walk through the standard it'll all make a little more sense, that's the plan at least!
There are 10 principles or themes that run through the standard that we'll look at over the next few blog posts, these are:
- Principle 1: Care – understand what the protections are of your information is and ensure you apply the correct controls.
- Principle 2: Awareness – Everyone in the organisation should have an awareness of what your information security policies are, why they are important, how they impact them and their part in applying and updating them.
- Principle 3: Responsibility – Giving responsibility to ensure that key tasks are done with respect to your information security systems is important.
- Principle 4: Management Commitment – ensuring that your top management is involved and supporting your information security management system approach is critical, without it you'll fail.
- Principle 5: Set some Values – these are the values that your system will be built on, is it secrecy, openness, respect, trust. It's important to think about how you want the system to be viewed and used.
- Principle 6: Risk – defining, understanding, communicating and managing the risks with respect to your information security is obviously a key element, not just because the ISO standards are now taking a risk-based approach.
- Principle 7: Integrated – Security and the thinking behind the security of your information shouldn't be a bolt on it needs to be designed in and part of the thinking process.
- Principle 8: Everyone's Involved – A system, any system only works if the users are involved and your information security management system (ISMS) will be the same, people need to be actively involved in it.
- Principle 9: Every where's Involved – your Information Security System doesn't just live in your IT Department, it's across your entire organisation, in every department and at every level.
- Principle 10: Continuous Improvement – Lets face it you knew this was coming right? Any system, without the use of continuous improvement will wither and die from lack of care. No matter how good your system is there will always be changes needed, improvements made, and you need to understand and embrace that.
Familiar Principles
If you think that these 10 principles sound familiar then that's good, they should. These are the same principles that underlay all of the ISO systems and that makes it far easier to implement than it might otherwise be. It'll also mean that as you implement ISO27001 into your organisation you will be reinforcing that system and the thinking that you installed when you did ISO9001 or 14001 or 45001. They won't feel out of place, in fact they will feel part of the day to day business and just make sense. The key will be in your ability to reflect back on these principles and explain how what you are doing supports the principle and the other existing systems.