ISO/IEC 27000: Basics and Overview
Information. Security. Management.
Information increasingly determine our everyday life. They represent an increasing value, especially for the business operations of an organisation. The term “information” covers an almost unlimited area. Whether it is information for managing assets, contract data, personal information, payment transaction data or even crypto currencies, all are exposed to a growing number of threats and are therefore also subject to an increasing need for protection. This need for protection extends not only to the information but also to the components that transmit, store or process it.
This threat situation gives rise to an increased need and desire to ensure the security of information. Due to the scope of the values to be protected and the associated components, the use of a management system is advisable for controlling and monitoring information security.
Such an information security compliance and assurance management system should help to find solutions to the most important core issues.
Which data is subject to which protection requirements? Is the data protection regulation to be adhered to for personal information? Is it a matter of confidentiality, for example with contract or patient data? Does integrity also have to be ensured under certain circumstances, as is the case with contractual or payment transaction data? And what about the desired or guaranteed availability? Do other security requirements such as non-repudiation or authenticity have to be taken into account?
Where can this information be found at all? Which system components or people are involved? Who is responsible for the information and its protection? Are increasing or new threats identified and adequately countered by adapting security measures?
In addition, the increasing number of external requirements for organisations increasingly includes proof of an appropriate information security management system (ISMS).
One way of doing this is the ISO/IEC 27000 series of standards — essentially the process-oriented ISO/IEC 27001 standard, which defines the requirements for an ISMS and is supplemented in particular by:
The ISMS according to ISO/IEC 27001 focuses on the information assets to be protected and the identification of the associated security requirements and risks. A set of rules consisting of guidelines, processes and procedures must be established as a basis for protecting the values and meeting the safety requirements. However, the measures defined in this way can only unfold their (protective) effect if their application is also monitored and enforced. An important component for the implementation and control of management processes is the assignment of responsibilities, for example by defining roles and assigning them to persons. The process is rounded off by the definition and implementation of appropriate measures to achieve the set goals.
In order to promote an improvement of the ISMS, it is subject to a continuous review and adaptation process in accordance with the standard, which is often presented using the so-called Plan-Do-Check-Act methodology.
Contact
Randolf Heiko Skerka
IS Management
SRC Security Research & Consulting GmbH
