ISO 27001 Information Security Standard
The issue of quality assumes great importance in the field of industrial and service production alike, as no product can compete with other competing products unless it is at a level and quality that exceeds competing or alternative products.
Quality is no longer just a criteria for distinguishing a product. It is not a method by which the extent to which the final product conforms to these criteria is identified only, but it went further to include the optimal use of material and human resources and the exclusion of every defective from the first step in production. Achieving quality is the responsibility of everyone, starting with senior management, organization personnel, and the supplier. Improving quality leads to raising the level of productivity and getting rid of the costs resulting from re-manufacturing damaged and damaged products in order to make them ready, and thus obtaining maximum profits and the largest market share. Therefore, quality is like a fence. The impenetrable shield.
ISO 27001 is an ISO document that helps organizations maintain the confidentiality and management of their customer information. The ISO 27001 Information Security Management System is an international framework that helps companies protect their financial data, intellectual property, and sensitive customer information. With ISO 27001, companies can identify risks, manage or reduce risks of confidential information. In addition, they fulfill the necessary security measures in this direction.
The information security management system, which is the basic concept of ISO 27001, is the core value that aims to support and sustain operating organizations and organizations. If more than one material is missing, there is a situation where the deficiency can be resolved, while a physical equivalent of the missing information is not. This is because of the constant interaction of change, and the relevance and relevance of information in today’s developing conditions is becoming an increasingly large entity.
This helps you to constantly review and improve the methods you apply not only for today but also for the future. ISO 27001 protects your business and your reputation. It adds value to your business by giving confidence to your customers and all stakeholders.
Information is also an important business asset for an organization. For every organization, the information it possesses as a field of activity is a resource of value to that organization and therefore must be appropriately protected. Information security systems are set up to prevent information from being captured, deleted, modified or copied, and thus misused. In a sense, an information security management system was created in order to prevent this situation that threatens the continuity of organizations.
By implementing ISO 27001, you can protect your reputation, avoid damages, save money, comply with customer and market requirements, and reduce risks. By adopting the standard and putting in place effective processes in your organization, you are sending a clear message to your customers, employees and other third parties that you have a serious and internationally recognized practice of information security.
An organization that has obtained ISO 27001 Information Security Management System certification has demonstrated its corporate quality. It has not only met the requirements of these standards, but also proven to be in compliance with legal regulations. By taking care of the information security of customers, a competitive advantage is created.
For more detailed information about what an ISO 27001 information security management system certificate is and how to obtain it, you can apply to the directors and staff of the SCIENCE certification body.
1- Concept:
Aggression on the information environment constitutes the ugly face of modern technology. The crimes achieved as a result of this aggression are distinguished from ordinary crimes by their high speed and devastating effect, and the ability of the perpetrators to evade prosecution and punishment in light of the lack of many countries with legal systems capable of dealing with this aggression and the crimes resulting from it. International statistics indicate that there are more than two billion people using computers, in addition to the existence of more than (13) billion pages on the international information network (the Internet) and about (300) million websites on it. Thus, the information environment expanded to become a vast field for aggression against it and to pose a terrible challenge to various agencies in confronting this aggression and the resulting crimes, as a percentage (24% to 42%) of organizations in the government and private sectors were victims of crimes related to computer technology, and that ( 145 to 730 million dollars annually, the loss of (72) companies due to computer crimes, and a United Nations study on computer risks showed that (73%) of the crimes are internal, (23%) of them are due to external sources. The economic losses for these crimes were estimated in ( 1993 AD) with about (2) billion dollars, and in a study on cases of penetration as an aspect of aggression against the US government apparatus for the year 1995 AD, it was found that there were (250,000) cases of penetration, 64% of which were successful, and that (1%) to (4%) of them were discover it.
In order to confront this aggression on the information environment, the International Organization for Standardization and Metrology issued the ISO 27001 standard specification for information security management. 7799
Certificate of conformity with ISO 27001.
The main idea of the ISO 27001 standard is based on the principles and philosophy of total quality management (TQM). The four steps that make up the model are as follows:
Establishing an Information Security Management System (ISMS).
Implementation and operation of the ISMS.
Maintaining (ISMS) and working to improve it.
· Monitoring and reviewing (ISMS).
ISO 27001 according to the Deming ring
2- The establishment of the ISO 27001 standard:
The previous international standard for information security was known as BS 7799 Boliviano which was published by Standards Institute Alb
Britani (BSI) in 2000. It consists of two parts, the first part is known as the standard part1 7799 and includes the rules and steps for managing information security. It also includes the overall requirements for information security through eleven parts. Thus, the standard 7799-1 is the first international standard for information security, and the second part is known
By 7799-2 or the Information Security Management Standard, which included a set of specifications with instructions for its use, and was intended to manage information security. This standard was used in Great Britain and Europe by hundreds of organizations until 2004. In 2005, the International Organization for Standardization (ISO) asked those interested in information security to update ISO BS 7799:2000, bearing the name of the International Organization for Standardization, and it relied on Part Two From Boliviano bs 7799, and after a series of consultations, the standard was issued ISO 17799:2005, or what is known as ISO 27001, and it is designed for use by any organization in any industry, but many small organizations may face some problems represented in their inability to meet some of the needs for support measures due to the limited resources and manpower.
3- The ISO 27001 family of standards:
1- ISO 27001: includes international support measures.
2- ISO 27002: Compliant with ISO 17799.
3- ISO 27003: includes guidance for the implementation of international support measures.
4- ISO 27004: includes procedures for managing international support measures.
5- ISO 27005: includes information security and risk management mechanisms.
6- ISO 27006: includes information and principles guiding the recovery of technology and telecommunications services after disasters.
It can be illustrated by the figure below:
4- Requirements for implementing ISO 27001:
The process of adopting the (ISMS) for the requirements of the ISO 27001 standard is an ideal step for building effective security for information management in the organization, and this process may be complex if there are no specific steps through which the adoption process is made easily, as shown in Figure (5-9) below Therefore, the guideline for the ISO 27001 standard came to clarify the most important requirements for its application, which it specified as follows:
1- Definition of the limits and scope of the (ISMS): It must be determined in light of the specifications of the organization’s information systems in terms of size, sources and types, taking into account the organizational and legislative needs of the organization.
2- Developing a strategy for (ISMS): It is represented by a set of procedures and steps necessary to implement the (ISMS). The main factor for success at this stage is the support of senior management for the (ISMS) strategy.
3- Identifying and discovering risks: You must specify a methodology and an appropriate approach to discover risks.
4- Distinguishing between risks: working to distinguish between the different types of risks that threaten information security.
5- Understanding and assessing risks: assessing current and potential risks in order to ensure the most effective use of available resources.
6- Evaluation of risk treatment options.
7- Choosing appropriate control objectives.
8- Obtaining the management’s approval regarding the proven risks.
9- Obtaining the management’s approval for the implementation of the (ISMS).
10- Starting the application: This stage involves preparing the application statement. Which describes the selected documents and control objectives and controls and reasons for selection or exclusion.
Steps to implement the requirements of ISO 27001
5- Dimensions of ISO 27001:
The component dimensions of the ISO 27001 standard are as follows:
Security policy: This dimension documents the goals of the ISMS to help the organization’s management provide appropriate support and guidance.
Organization of information security: This dimension enables the organization’s management to impose security control over all its information that falls under its control, through a set of policies, procedures, security tasks and responsibilities.
Asset Management: This dimension manages all natural and intellectual assets by providing appropriate protection for them, by defining ownership and responsibility for protecting information sources.
Human Resource Security: The purpose of this dimension is to reduce the risks resulting from human errors and enables the Human Resources Department to evaluate the performance of all employees in the organization more effectively through specific security responsibilities for all employees and within their positions in the organization.
Physical & Environmental Security: This dimension contributes to securing the physical areas (information processing facilities) and the work environment within the organization in managing information security effectively. As any element that falls within the organization’s scope of work, including facilities, employees, customers and suppliers, plays an important role in the success of the organization’s security protection process.
Communication & Operations: Management: This dimension provides a set of facilities represented by (safe delivery, safe daily operations management, data and network operating means).
Access Control: The control of workers’ access to the information system is a major dimension in protecting the organization’s information and protecting it from network intrusions.
Information Systems Development and Maintenance: Acquisition Development & Maintenance: This dimension aims to confirm security in information systems and work to provide the requirements for maintaining and maintaining them.
Incident Management: This dimension helps to face emergencies, identify weaknesses in information security management, and provide appropriate solutions by building an effective communication system between the different organizational levels.
Business Continuity Management: This dimension allows for appropriate flexibility to deal with medical disasters
Awareness of failures and unexpected obstacles help the continuity of information protection activities.
Compliance: This dimension seeks to avoid any loopholes or breaches of any civil or criminal laws or legislation and defines the contractual obligations and the requirements of organizational security policies and the activities of system audits and security procedures.
6- Benefits of ISO 27001:
The most important benefits achieved by using the ISO 27001 standard for information security management are as follows:
Provide a general structure that enables the organization to develop and implement information security management activities effectively.
Provide the risk-based approach, which is a basic activity within the ISMS planning and implementation structure, and results in an increase in the effectiveness of the security level of the organization.
Ensure the use of qualified persons and appropriate processes, procedures and techniques to protect information sources.
Provide information protection with reliability, safety and availability.
It is a complement to a set of standard specifications used in the field of business administration, such as ISO 9001.
Analysis of the facility’s security management system
1- Determine the most important risks to computer management.
2- Explain the importance of implementing the closure of those risks on the facility.
3- Explain the problems that will occur when closing these risks is not implemented.
4- Develop a plan that shows the most important future goals to close these risks.
5- Executing this plan.
6- Measuring the implementation of that plan.
7- Improving the implementation of the objectives of the plan and then managing the writing of the plan.
Download a file in Arabic explaining the terms of the ISO 27001 standard
click here