ISO 27001 is the international standard for information security. ISO 27001 provides guidelines for the determination, implementation, execution, maintenance, monitoring and continual improvement of an Information Security Management System (ISMS). An ISO 27001 certificate emphasizes that your organization has implemented the necessary security measures that safeguard confidential information against unauthorized access. By implementing a thorough risk management process assurance is provided that risks are effectively managed and consequently the confidentiality, integrity and availability of the ISMS is guaranteed.
The ISMS is prepared for both customers as well as the internal organization and the provided products and services. The standard requires a management policy based on the High Level Structure (HLS), which is in accordance with the PDCA (Plan-Do-Check-Act) model. The management policy is based on the organization's current business strategy, corporate objectives and applicable laws and regulation. The management policy is consistently reviewed each period to ensure the applicability, effectiveness and adequacy.
The High Level Structure (HLS) is a set of seven mandatory management themes that all new ISO management system standards, such as ISO 27001 and ISO 9001 are required to use. Specific additional requirements are applicable for each management standard if necessary. The HLS enables practical integration between management systems of different disciplines and provides a link between the strategic and operational level. The HLS structure is easy to align with existing management models and procedures within an organization and easy to align with other ISO standard. Therefore, the HLS is often referred to as the "plugin model".
The HLS starts with a Context Analysis in which a mapping of the internal and external issues is prepared and a mapping of the stakeholders and their requirements and expectations. Organizational roles, responsibilities and the management policy are described in the section Leadership, with explicit attention to the link between the management system and the overall strategy of the organization on the one hand and the 'normal' business processes on the other.
The next step is to describe the Planning for actions to address risks and opportunities and drafting the information security objectives. The resources necessary for the establishment, implementation, maintenance and continual improvement of the ISMS is described in section Support. The next step, Operation, is to prepare the operational planning and performing the risk assessment and drafting the risk treatment plan. During the Performance Evaluation, procedures to monitor, measure, analyze and evaluate are prepared, including the internal audit and the management review. To ensure Continual Improvement, procedures for identifying and handling corrective actions are prepared in the final section.
After the preparation of the HLS management structure, the Statement of Applicability (SoA) is prepared. The SoA is one of the mandatory and key elements of an ISO 27001 implementation and crucial for identifying the necessary controls to implement within the ISMS. The controls are identified and selected based on the risks that were identified during the risk assessment process. The "comply or explain' philosophy is used, whereby an explanation is provided for each of the Annex A controls that have been omitted. Each control without legitimate justification must be implemented.
Information Security risks are reduced by effectively preventing the organization against threats and vulnerabilities. The ISO 27001 Annex A describes standards and management practices for information security control objectives and controls. Relevant control objectives and controls are prepared based on the selected Annex Controls in the SoA. The control objectives and controls are related to a variety of key elements of information security, such as Human Resource Security, Access Control, Operations Security, Cryptography and Compliance.
The core attributes of our approach are efficiency and minimizing the disruption of operational processes during the certification procedures. This requires effective planning and open communication with your organization throughout the entire engagement and particularly during the reporting and audit phase. Our approach is focused on delivering quality throughout the entire process and is subject to our quality standards. Our services focus on the project management leading to an ISO 27001 compliant Information Security Management System (ISMS). Find out more.
Need assistance implementing ISO 27001? Our group company Risklane provides governance, risk management and compliance services. Risklane supports organizations with the ISO 27001 implementation with the Cloud Reporting Solution ControlReports. This application supports with the implementation of an Information Security Management System (ISMS). ControlReports supports in the process of establishing the management structure (HLS) and the control framework using a structured and agile step-by-step approach.