Glossary - ISO 27001 terminology explained
What is ISO27001?
ISO 27001 is an Information Security Management Standard. It is a set of principles and practices to manage information security risks in an organization.
Yes, but what is ISO27001?
ISO 27001 is an international, certifiable standard that provides framework to safeguard your information and data. To achieve it, you must implement an Information Security Management System (ISMS). ISO27001 is makes this a standardised process which is easier to manage, measure, and improve.
What is an ISMS?
An ISMS is a systematic approach consisting of processes, technology and people that helps you protect and manage your organisation’s information through effective risk management. It helps you address and protect the three dimensions of information security: Confidentiality, Integrity, and Availability.
What are ISO 27001 requirements?
ISO 27001 has the following requirements which can be categorised broadly into 4 areas following Deming's Cycle:
1. Establish the context of the ISMS within the organisation; determine the scope of the ISMS; gain sponsorship and commitment from senior management; create an information security policy and supporting policies and procedures including an information security risk management methodology.
2. Undertake information security risk assessments; risk treatment as required; implementation of selected controls to reduce or mitigate risks; update the Statement of Applicability.
3. Undertake internal and external audits to determine the state of the ISMS and to assess control effectiveness.
4. Identify and implement improvements; take appropriate corrective and preventative actions; communicate and consult with all stakeholders.
What is the Deming Cycle
The Deming Cycle (Plan-Do-Check-Act (PDCA)) is a four-step iterative technique used to solve problems and to improve organizational processes. The objective is to improve quality by continual improvement as you continue to follow the cycle.
Who needs to be ISO 27001 certified?
Any company that seeks to demonstrate to its interested parties, including suppliers, customers and regulators, that it takes information security seriously may want to consider certification of their ISMS to the ISO27001 standard.