Information Security Management

Select Consultancy Services Ltd can provide a complete package including, training, documentation development and other assistance to ensure your company achieves this important Management Standard.

In our modern world, most organisations have implemented systems for information security controls. However,  over time these systems tend to become somewhat disorganized and disjointed pointing to the need for an overarching  information security management system or (ISMS).

In most organisations, the existing security controls typically address limited aspects of IT or data security. They often neglect non-IT information assets (such as paperwork and proprietary knowledge). Often business continuity planning and physical security are managed independently of IT or information security. Additionally, Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

If an Organisation elects to adopt ISO-IEC 27001 it will require that management:

  • Systematically examines the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

ISO  27001 can:

  • act as the extension of the current quality system to include security
  • provide an opportunity to identify and manage risks to key information and systems assets
  • Provide confidence and assurance to trading partners and clients; acts as a marketing tool
  • Allow an independent review and assurance to you on information security practices

A company may want to adopt ISO 27001 for the following reasons:

  • It is suitable for protecting critical and sensitive information
  • It provides a holistic, risked-based approach to secure information and compliance
  • Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
  • Demonstrates security status according to internationally accepted criteria
  • Creates a market differentiation due to prestige, image and external goodwill
  • If a company is certified once, it is accepted globally.

While other sets of information security controls may potentially be used within an ISO/IEC 27001 ISMS as well as, or even instead of, ISO/IEC 27002 (the Code of Practice for Information Security Management), these two standards are normally used together in practice. Annex A to ISO/IEC 27001 succinctly lists the information security controls from ISO/IEC 27002, while ISO/IEC 27002 provides additional information and implementation advice on the controls. The domains covered by ISO 27002 include

  • Security policy
  • Organization of information security
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development and maintenance
  • Information security incident management
  • Business continuity management
  • Regulatory compliance

Organizations that implement a suite of information security controls in accordance with ISO/IEC 27002 are simultaneously likely to meet many of the requirements of ISO/IEC 27001, but may lack some of the overarching management system elements. The converse is also true, in other words, an ISO/IEC 27001 compliance certificate provides assurance that the management system for information security is in place, but says little about the absolute state of information security within the organization. Technical security controls such as antivirus and firewalls are not normally audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all necessary information security controls since the overall ISMS is in place and is deemed adequate by satisfying the requirements of ISO/IEC 27001. Furthermore, management determines the scope of the ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO/IEC 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.

To receive more information on our services or to make an appointment to review your needs please contact us.