Information Security Management System
SRI was the first and at accreditation, the only U.S.-based registrar to be approved by ANAB to ISO 27001. In January of 2010, SRI became the first and only U.S.-based and U.S.-wholly owned registrar accredited by ANAB to certify a company’s Information Security Management System (ISMS) to ISO 27001. SRI is uniquely qualified and committed to the growing number of U.S. companies that need ISO 27001 certification.
ISO 27001 certification provides a management framework for continuing conformance to information security requirements. This framework can also be used to meet the legal and regulatory requirements of HIPAA, SOX, and GLBA, as well as other government and commercial contracts. And as a management framework, ISO 27001 is a better alternative to SAS 70 for companies that must have a documented, certified, or demonstrated information security program.
ISO/IEC 27001:2013 for Information Security Management Systems enables companies to address critical issues.
Enabling Companies to Address Critical Issues
The final version of ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems, is available, and replaces ISO/IEC 27001:2005. The Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes, and IT systems. The international standard provides the framework for an organization to implement a globally recognized system for managing the security of their information.
With increased usage of new technology to store, transmit, and retrieve information, we have exposed ourselves to increased numbers and types of threats. The overall approach to Information Security, and integration of different security initiatives needs to be managed in order for each element to be most effective. An ISMS allows you to coordinate your security efforts effectively. The implementation of ISO/IEC 27001:2013 will reassure customers and suppliers that information security is taken seriously within your organization and defined processes are in place to deal with information security threats and issues.
The ISMS standard can be used by a broad range of organizations – small, medium, and large – in most of the commercial and industrial market sectors: technology, finance and insurance, telecommunications, healthcare, utilities, retail and manufacturing sectors, various service industries, transportation sector, government and many others. Like its predecessor, ISO/IEC 27001:2013 specifies the processes to enable a business to establish, implement, review and monitor, manage and maintain an effective ISMS.
The ISO 27001 standard integrates the process-based approach of ISO’s management system standards, including the Plan-Do-Check-Act cycle and requirement for continual improvement. Meeting the standard assures customers and suppliers that organizations have developed and certified their information management systems to an internationally recognized standard for security.
The ISO 27001 Standard
ISO/IEC 27001 is intended to be used with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists objectives, controls, and implementation guidelines. Organizations that implement an ISMS in accordance with ISO/IEC 27002 are likely to also meet the requirements of ISO/IEC 27001. This ISO standard is the first in a family of information security related standards which are assigned numbers in the 27000 series. They include:
- ISO/IEC 27000 – a vocabulary or glossary of terms used in the ISO 27000-series standards
- ISO/IEC 27002 – the code of practice
- ISO/IEC 27003 – the ISMS implementation guide
- ISO/IEC 27004 – the standard for information security measurement and metrics
- ISO/IEC 27005 – the standard for risk management
- ISO/IEC 27006 – the guide to the certification process
- ISO/IEC 27007 – the guide for information security auditing
- ISO/IEC 27010 – the guide for inter-sector and inter-organizational communications
- ISO/IEC 27011 – the guide for telecomms based organizations
- ISO/IEC 27019 – the guide for process control systems in the energy utility industry
- ISO/IEC 27799 – Healthcare informatics – Information security in healthcare organizations
Control Objectives and Controls
In addition to the clauses of the ISO/IEC 27001 standard, minimum control objectives and controls are located in the Annex (i.e. Annex A Controls). Minimally, these objectives and controls shall be a part of the ISMS. Additional objectives and controls may be necessary, depending on legal and regulatory, customer, and the organization’s requirements.
Certification to ISO/IEC 27001
The ISO 27000-family of information security management standards align with other ISO management system standards, such as ISO 9001 (quality management) and ISO 14001 (environmental management), regarding both general structure and the nature of integrating best practices with certification standards. Certification of an organization to ISO/IEC 27001 is one means of providing assurance that the organization has not only implemented a system for the management of information security in line with the international standard, but also maintains and continuously improves the system.