ISO 27001 is the international standard for information security systems, i.e. systems designed to secure IT networks and the data they hold. Recognised across the globe, it was developed by ISO in close cooperation with the International Electrotechnical Commission (IEC). Although it’s not obligatory to obtain ISO 27001 certification in Australia, or any other country, it does provide a useful framework that makes the job of implementing effective IT security protocols easier to achieve. The ISO 27001 guidelines set out a list of requirements for an information security management system (ISMS), which need to be met by companies that wish to be certified.

The ISO 27001 standard includes a comprehensive set of requirements for an ISMS, including information security policies, human resources security, asset management and access control. It also covers topics and technologies such as cryptography, physical security, environmental security, relationships with suppliers, incident management, communications security and operational security. In short, if it has an impact on the security of the data stored in your IT system, it will be covered by this certification. It does, of course, cover the requirements for compliance with international data security regulations and the latest industry best practices as well.

An ISMS is an information security management system. But what exactly does this mean and what is the purpose of an ISMS? An ISMS describes your company’s information security and privacy procedures and processes. It is intended to demonstrate the measures you have taken to ensure that the information stored in your systems is protected from outside threats. It also covers the plans you have made to deal with any security breaches if they should occur. Whether or not your organisation wishes to achieve ISO 27001 certification, it’s important to have an ISMS in place that clearly states the steps you have taken to secure your infrastructure and the sensitive data it contains.

The decision to establish and implement an ISMS should be made by top management; however, security responsibilities lie with everyone in the organisations. Management, personnel and even contractors are a part of the ISMS and may present a significant risk if not trained well.A common awareness program may be good to start but needs to be followed up with documented policies and procedures with clear responsibilities for protecting data and information. Policies and procedures can facilitate Access to information as well as Integrity and Confidentiality (CIA), can help mitigate the risk of a breach and guide staff in specific situations. Well implemented policies and procedures are an indication of an organisation’s strength on security and may enhance people’s commitment to ISMS.

The confidentiality, integrity and availability of data and information are the focus of ISO 27001. These three are usually threatened by a variety of internal and external threats and the only way we can protect our data and information is a proper risk assessment. Risk management helps us to target our efforts and security measures in the right place at the right time. No organisation has unlimited resources, and need to use resources wisely as per the risk assessment.

Risk assessment is an important element of information security management systems. The methodology used for risk assessment is particularly important to be effective, otherwise it would be hard to identify and evaluate risks an organisation have and difficult to define right and effective security response. Every organisation has its own specific environment, specific structure, business model, and culture, and needs to design and agree on its own specific Risk assessment methodology.

There are a number of mandatory requirements that must be met to achieve ISO 27001 certification, the two most important of which are:

• Defining the Scope of Your ISMS – You need to produce a detailed definition of the information your system is designed to protect
• Risk assessment/treatment methodology – This should identify all potential threats and how you intend to deal with them.

If you would like to obtain ISO 27001 certification in Australia or elsewhere, please get in touch to discuss the certification process with a member of our team. In the meantime, you can check out our code of conduct to get a better idea of how we operate.