Information Security Management Systems, ISO 27001 and the Benefits of Implementation

This blog takes a back-to-basics approach, focusing on the fundamentals of information security and ISO 27001 certification. It begins by examining the core component—the information security management system (ISMS), commonly referred to as such.

What is an Information Security Management System?

If we could trust people not to tamper with our information and systems, we wouldn't need information security controls, ranging from basic passwords to robust encryption methods. However, the reality is that controls are necessary to ensure that only authorized individuals and systems can access specific sets of information, which can be relied upon when legitimately required.

While the concept seems straightforward, there is a vast array of information security controls available worldwide, making it impractical for any organization, regardless of its size or complexity, to implement all of them. Moreover, many controls can impact productivity, so it becomes essential to select the appropriate controls based on specific criteria.

One approach is to adopt a fixed set of controls, such as the 133 listed in the Cloud Security Alliance's Cloud Control Matrix. However, these controls represent broad domains rather than specific solutions. Regardless of the framework used, implementing all controls or control types may end up addressing non-existent issues.

In ISO 27001, Annex A presents a similar list of 114 (reduced to 93 in ISO 27001:2022) information security controls. The standard requires organizations to select and implement some, but not necessarily all, of these controls based on the need to mitigate unacceptable risks to an acceptable level. This approach is known as a "risk-based approach." The risk assessment and risk treatment processes, which are core requirements of ISO 27001, play a vital role in ensuring that organizations implement, monitor, and maintain the most appropriate set of information security controls.

The remaining processes mandated by ISO 27001 serve to support the effectiveness of the risk assessment and risk treatment processes, ensuring that the organization continually maintains an optimal information security posture.

What is ISO 27001?

ISO/IEC 27001:2013 (ISO 27001) is a globally recognized management system standard aimed at assisting organizations in enhancing their information security capabilities through continuous improvement.

By adopting a risk-based approach, ISO 27001 can be implemented in organizations of any size or industry sector. This is because information security risks and the corresponding controls needed to mitigate those risks are generic in nature. Threats pose equal risks to organizations and systems regardless of their scale, and the controls implemented aim to prevent these threats from successfully compromising the target.

The beauty of ISO 27001 lies in its applicability to diverse organizations, ensuring that information security measures are in place to address risks effectively, protect valuable assets, and maintain the confidentiality, integrity, and availability of information.

What is the relevance of confidentiality, integrity and availability (CIA)?

When safeguarding information assets, we typically focus on protecting the three fundamental security attributes known as the CIA triad: confidentiality, integrity, and availability.

Confidentiality: This refers to the protection of information from unauthorized access, ensuring that only authorized users or systems can access the information.

Integrity: It involves maintaining the accuracy, completeness, and trustworthiness of information, preventing unauthorized modifications, and ensuring that information remains reliable and unaltered.

Availability: This ensures that legitimate users and systems can access and utilize information when needed, including the means by which the information is processed or used.

Although ISO 27001 is titled "ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements," it is important to note that information security encompasses more than just IT.

Information assets include various forms of information, whether digital, printed, or in other formats such as voice, as well as the supporting elements and processes that enable the use and protection of that information. Interestingly, less than 40% of the controls listed in Annex A of ISO 27002:2022 are technology-related. The remaining controls encompass organizational, personnel, and physical aspects, which are often beyond the scope of IT functions and require a holistic approach to information security management.

How can an ISMS be integrated into an organisation?

Just like any new initiative within an organization, implementing an information security management system (ISMS) may initially feel burdensome to staff members as it introduces new responsibilities and tasks.

However, many activities involved in selecting, implementing, and maintaining information security controls are often part of regular "business as usual" operations already carried out by individuals across the organization. These existing activities can serve as a foundation for the risk assessment and treatment processes at the core of the ISMS. The ISMS framework can incorporate any missing elements such as documented procedures and control performance monitoring.

Similarly, in organizations without a systematic approach to information security, policy reviews are often neglected. Once policies are written, it is assumed that they will remain suitable indefinitely, with reviews typically occurring only after a policy failure. However, adopting a proactive approach to policy review, akin to planned maintenance, is usually a relatively simple transition from reactive practices.

Furthermore, an ISMS that conforms to ISO 27001 can be easily integrated with other ISO-based management systems such as ISO 22301 for business continuity management and ISO 20000 for service management. This integration enables organizations to streamline processes and capitalize on synergies, minimizing the overall investment required. Common activities like management reviews, internal audits, and improvement initiatives can be standardized, leveraging economies of effort in both design and operation of multiple management systems.

What are the benefits of implementing an ISMS, if an organisation is already controlling and protecting its information?

The "continual improvement" model at the core of ISO management system standards, including ISO 27001 requirements, ensures that risk assessment, treatment, and other related processes are conducted iteratively. This allows organizations to adapt to changing threats and vulnerabilities by regularly updating their risk treatment plans, thus ensuring the ongoing effectiveness of implemented controls.

Furthermore, top management receives regular assurance that all reasonably identifiable information security risks are being appropriately managed. While some directors may not be aware of their specific need for this information, it remains crucial for them to understand and be informed.

The additional assurance provided by accredited certification from a third-party further enhances trust, both internally for top management and externally for stakeholders.

Certification to a recognized framework, such as ISO 27001, is increasingly preferred by organizations when selecting suppliers. In the digital era where information underpins almost everything, buyers need to have confidence in their suppliers, and relying on an accredited third-party's assessment based on ISO 27001 requirements is a reliable means to establish that trust.

ISO 27001 offers a framework for organizations to control and influence the management of information security risks and the implementation, management, and improvement of controls. Implementing an ISMS and achieving ISO 27001 certification bring numerous benefits, including reputational enhancement, financial advantages, strategic opportunities, and increased security awareness and engagement across all levels of the organization.

With a structured framework like ISO 27001 supporting the topic of information security, senior managers with other primary responsibilities are more likely to support important activities such as raising awareness, assessing competence, and ensuring policy compliance.