Why business needs a Holistic security management framework?
An information security management system (ISMS) is "a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives" (ISO/IEC 27000:2014).
By ISO27001 Certification, the controls are never only IT-related – they always involve organizational issues, human resources management, physical security and legal protection. It is the standards that enables your organization to take into account all the information in various forms, all the potential problems, and gives you the methodology how to keep the information secure. Therefore, information security is a set of combined controls, very diversified in nature (see diagram below).
An ISO 27001-aligned ISMS functions will perform in protecting and monitoring information and following a continual improvement approach, allowing the organization to keep up with evolving threats. The Standard provides a holistic approach to information security that encompasses people, processes, and technology, not neglecting assets.
An ISO 27001-compliant ISMS helps you coordinate all your security efforts (both technological, people-based, and physical) coherently, consistently, and cost-effectively. The ISMS is a constantly evolving system, and is based on regular risk assessments to ensure that threats are being identified and treated in an appropriate manner, in line with the organization’s risk appetite.
This package, at a price of SG$5,388, includes our flagship ISO27001 Documentation Toolkit, three critical standards from the ISO 27000 family, two bestselling books, and the definitive ISO27001 risk assessment software tool, vsRisk™.
This package, at a price of SG$6,378, contains the core ISO27001 standards, two bestselling ISO27001 implementation guidance manuals, implementation tools.
This consultancy service combines essential ISO27001 tools and resources with live, online qualifications-based training, in addition to ten days of Mentor and Coach consultancy at each key stage of your ISO27001 implementation project for a fee of SG$26,868.
A Fixed online consultancy package priced at SG$21,060 designed to help small organisations (<20 employees) reach ISO27001 certification readiness in just three months.
The ISO27001 bespoke consultancy service helps organisations, wherever you are based, whatever your industry and organization, ready for accredited certification as quickly and cost-effectively as possible.
Outsource your internal audit to a auditor with deep and practitioner experience of ISO27001 and the audit process, and gain the assurance you need to ensure you meet your clients’ and stakeholders’ demands. This service consists of two separate audit days spread over one year.
When you have a lean business budget, get specialist advice from the world’s ISO27001 experts to identify what is required to achieve certification- readiness with this in-person review of your information security arrangements against the requirements of ISO/IEC 27001:2013.
- Market Differentiation
- Proactive versus Reactive Security Management, and Defensibility
- Consistent Third-party Governance, Risk, and Compliance (GRC) Management
- Legal and Regulatory Compliance
- Information Risk Management
- Time-based Assurance
- Organizations, large and small, have felt increasing pressure from current customers, potential customers, and regulators, to adopt a defensible, risk-based ISMS, as opposed to abiding by the customary and vague reliance on "best practices" or other standards that are not specific to the discipline of information security; e.g., SAS 70 Type II.
- The effort involved in raising the maturity of the security program to a certifiable level is proof to clients and potential clients that your organization is actively maintaining its information security posture.
- Thus, Increased selling opportunities by offering a mature and capable ISMS, certified to an international standard. A greater potential to land business where touting your company's security is a critical element, including opportunities to work with clients seeking to do business with a company that has a certified security program already in place.
- Defensible approach to information security yields a reduction in response effort to the rising volume of information security questionnaires that an organization receives from clients and potential clients. Given the increasingly cumbersome regulatory environment, detailed inquiries are often defended as "doing due diligence," even though such inquiries impose a significant time and workload burden on the receiving organization
- allows the information security function to be proactive in developing, deploying, managing, and maintaining an information security program. Information security is no longer forced into a constant "fire-fighting" mode and the usual lack of efficiencies is avoided.
- Reduced effort and time to respond to inquiries, shortening the sales cycle, and reducing the number of audit or review cycles, thereby increasing efficiencies.
- Contract or service agreement language often does not address specific requirements for the preservation of information confidentiality, integrity, and availability. A supplier risk assessment or audit can check to see if security expectations are adequately met, but by itself, this activity does not communicate the actual requirements or criteria.
- With an ISO 27001-based ISMS, third-party requirements, specifications, empowerment, and communication are an integral part of the system. you can raise your level of assurance by knowing that the third parties are "on the same page" as your company. Suppliers are able to deliver services at desired levels and with processes and security measures which are defined, visible, and accountable to you.
- Benefit: Clear communication of security requirements to third parties and scheduled periodic reviews of compliance with such requirements.
- Third parties with a full understanding of requirements can provide more accurate pricing for services and are not "surprised" near the end of the contract process with unanticipated demands. Periodic compliance assessments become a scheduled part of third-party governance with specific, stated objectives and increased focus on defined remediation tasks where necessary.
- The legal and regulatory environment is increasingly more rigorous, and unfortunately, increasingly more burdensome. Recently introduced law and regulation often requires a risk-based approach and informed-choice decision making to achieve compliance. Both of these qualities are inherent in an ISO 27001 ISMS, along with a defined responsibility for the Legal department to advise security of pending legislation. A risk-based, structured approach to security management, policies and standards, means accommodating shifts in the regulatory environment can often be accomplished as part of the normal review and update cycle rather than an ad hoc, reactive mode. When changes are required, they can be accomplished incrementally rather than as a major overhaul.
- Benefit: The risk-based decision making inherent in an ISO 27001 ISMS means the system shares a common basis with many new legal requirements. Changes to the ISMS can be made in an orderly, incremental fashion.
- Bottom line impact: Legal and regulatory compliance is accomplished through an ongoing change process, often using maintenance cycles rather than unplanned efforts or forced reaction. Disruption to the business is lessened, and compliance is achieved through simple alignment rather than repetitive and unplanned reengineering of security policies, standards, and practices.
- ISO 27001 requires a risk methodology to perform an assessment of their security practices. With the risk assessment information security and management together make informed choices regarding which controls must be applied, and justify these choices.
- Within the context of the ISMS, each choice can be defended on the basis of evaluated risks and defined controls. There is no "gray area" and no reliance on individual interpretation of security practices, no matter how well intended.
- Thus, an organization can easily defend and justify its choices to management, customers, and regulators. Which also means reduced effort and confusion in explaining security choices. It them shorten audit cycles and provide important reassurance to both management and clients that information security is based on informed-choice decisions, not just common practices.
- provides a mechanism to integrate information security into your company's overall risk management strategy. business executives can now be presented with information security in its proper context of asset protection and risk mitigation, without a need to explain the intricacies or jargon of the discipline.
- By making information security decisions on the defensible basis of risk management, the information security practitioner and business manager can employ a common terminology. In addition, the information security function becomes more integrated with the organization as a whole.
- Increased understanding and acceptance of the role of information security in the organization's overall risk management strategy.
- Implementation of an ongoing management or "continuous process improvement." Organizations are required to not only identify what is in place now, but monitor, review, and change controls if the environment dictates such change, that it is based on the W. Edwards Deming model of Plan, Do, Check, Act (PDCA) to achieve continuous improvement.
- If your organization must respond to customer security inquiries, there is nearly always a requirement for annual renewal or periodic review. Once certified under ISO, the ISMS will be subject to annual surveillance audits and recertification every 3 years. These independent audits performed by the certifying authority offer proof to your management and your clients that the ISMS is operating in a satisfactory manner with continuous improvement.
- In the nutshell, it offers independent proof of ISMS adequacy and the ongoing benefit of continuous process improvement. It offers clients and management proof that the ISMS continues to meet due diligence.
Relationship between ISO/IEC 27001 versus ISO27002
- IS27001:2013 (Certification standards) Versus ISO27002 (a code of practice/guideline)
- ISO/IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS). It uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS, but since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organizations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls as they see fit. In practice, most organizations that adopt ISO/IEC 27001 also adopt ISO/IEC 27002.
iTGRC Asia Pte Ltd