While some mistakenly conflate ISO 27001 compliance with legal requirements, only a few countries have laws on the books requiring organizations to implement the framework. Is ISO 27001 compliance or certification mandatory? The policies, procedures, people, documentation, and controls intended to maintain the Confidentiality, Integrity, and Availability of an organization’s information are known collectively as an Information Security Management System (ISMS). While a great deal of a modern organization’s “information” exists in a digital form, policies and procedures, proprietary knowledge, and even buy-in from senior leadership are less tangible assets that can still adversely affect an organization were they to be lost or co-opted. The ISO also makes a very deliberate attempt to portray the ISO 27001 framework as an “information security” framework rather than a cybersecurity one. Rather, each organization will apply an appropriate subset of these controls based on the unique risks to their business operations. You’ll find more than a dozen controls listed in the standard’s “Annex A”, but there is no expectation that all ISO 27001 certified organizations will have implemented each and every one of these controls. Instead, the focus is on risk management and taking a holistic and proactive approach to security across the entire organization. In contrast to some other standards and frameworks, achieving and demonstrating ISO 27001 compliance does not require strict adherence to specific technical controls. It’s also the only member of the family against which an organization can be certified, with ISO 27002 and beyond serving primarily as guidance and reference material for the “main” standard. A joint product of the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the most well-known of more than a dozen published standards in the ISO/IEC 27000 family. The ISO 27001 standard, more formally known as ISO/IEC 27001:2013 Information Security Management, focuses primarily on the implementation and management of an information security management system (ISMS).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |