1. Information Security Requirements

ISO 27002- INTRODUCTION, With the ever growing and sophisticated technoscapes that span our world, it is really important for organizations to look after its security measures. Consumers are therefore demanding greater transparency from businesses about the data they collect – and the compliances which they are following. Thus, proper certifications and due diligence assures every stakeholder’s mind that their organisation is taking data privacy seriously. Towards this, there are three main sources of security requirements:

  1. Risk Assessment
    – Identifying vulnerabilities and threats to assets

    – Evaluating the likelihood of risk to those assets
    – Estimate the potential impact
  2. Legal, Statutory, Regulatory and Contractual requirements
    An organization should meet these requirements along with the needs of social-cultural environment as well as its stakeholders’ requirements.
  3. Principles and Objectives
    Requirements to support business operations- information management, processing, storing and communication Requirements to support business operations- information management, processing, storing and communicating.

The resources used in implementing controls should be structured in such a way that it safeguards the assets from the attacks which may happen in the absences of these controls. The results of the risk assessment will help us identify appropriate management actions and objectives for the better oversight of information security controls to safeguard assets against those risks.

Here at Infosvvy we provide detail information and knowledge about Standard ISO 27001 and knowledge about the standard ISO 27001 and its sister guidance other standard ISO/IEC 27002 and ISO/IEC 27005 which provides information security risk management guidance which includes advice on risk assessment, risk treatment, risk acceptance, risk communication, monitoring and risk review. Infosavvy provides training of IRCA CQI ISO 27001 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (training certified by TÜV SÜD)

2. Security Controls

Controls are mainly selected from this standard or from other control sets, or new controls are designed depending on the need of security to the assets of the organization. The organization may choose to enforce certain security controls recommended for the level of risk assigned and standards for risk acceptance, risk treatment options to the information systems  or reinforce them with additional security controls to further improve the security and will even be subjected to all or any relevant national and international legislation and regulations.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

3. Developing your own guidelines

While developing guidelines one thing which needs to be kept in mind is the results of risk assessment, it gives the developer an acute picture of security needs specific to their organization. Remember, all the control and guidelines mentioned in the code of practice may sometimes be not applicable in certain scenarios, at the same time there can instances where you might require few controls and guidelines which are not included in this standard. When new guidelines and controls are introduced in documents, cross references to the said clauses should be mentioned in the standards, if applicable; to enable auditors or business partners to affectively monitor compliance.

4. Lifecycle considerations

Information too has a lifecycle, it starts from creation then storage, processing, transformation and eventually get demise but the value and risk to the information which is an asset to the organization may vary during its lifecycle. Ex. Unauthorized disclosure or theft of a company’s financial accounts.

The information system is no different, its life cycle phases include the conception, specification, design, development, testing, implementation, use and retention and eventually disposal. Information System is the necessary requirement at every stage of the operations. New system implementations and improvements to existing systems create opportunities for companies to upgrade and strengthen security procedures, taking into account tragic past events and current and expected cyber security threats.

5. Related Standards

While studying about this standard we understood that ISO 27002 provides guidance on wide range of security controls which when implemented in organization can safeguards its assets. ISO/IEC 27000 family comprises of many standards which offers advices or tell about the requirements’ for managing information security.

Refer ISO / IEC 27000 for general guideline of both the ISMS and the family of standards. ISO / IEC 27000 includes a glossary that explicitly specifies most of the terminology used in the ISO / IEC 27000 family of standards and illustrates the purpose and goals of each family member.

Questions related to this topic

1. What is risk assessment in ISO 27001?
2. What is business risk approach in ISO 27001?
3. What are ISO 27001 controls?
4. What does ISO 27001 mean?
5. Explain ISO 27002- INTRODUCTION?

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment

Your email address will not be published. Required fields are marked *