Infromation security

Since its publication in October 2005, ISO 27001 has been implemented in many organisations as the best practice for information security management, with over three hundred UK organisations independently certified against the standard.

So if these organisations, which range from small and medium to large enterprises, have implemented ISO 27001, why are we still hearing about lapses in information security? Neil O’Connor, principal consultant, Activity asks what lessons are there to be learnt from every organisation, whatever its size, using ISO 27001 as a benchmark?

Introduction

Information security, and in particular the handling of personal information, has regularly been in the headlines over the last few months. There have been notable incidents at HM Revenue and Customs, the Ministry of Defence, Nationwide Building Society and Marks and Spencer among others.

These are all large organisations implementing information security management systems at least compliant with, if not certified against, the international standard for information security management, ISO 27001.

ISO27001



A key issue is that ISO 27001 is a management standard, not a security standard. It provides a framework for the management of security within an organisation, but does not provide a ‘Gold Standard’ for security, which, if implemented, will ensure the security of an organisation.

ISO 27001 takes a risk assessment based approach. An information security risk assessment is used to identify the security requirements of the organisation, and to then identify the security controls needed to bring that risk within an acceptable level for the organisation.

Once the security controls have been identified, ISO 27001 defines processes to ensure that a) these controls are implemented and are effective; and b) that the controls continue to meet the organisation’s security needs.

read full text on bcs.org