Information Security Management

The International Standards Organisation has defined Information Security as "the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.”

Information Security is therefore the means by which information is protected from unauthorised or undesired events. The primary aim of Information Security is to protect the confidentiality, availability and integrity of information.

Information Security is not the same as Computer Security, although the subjects are related and do overlap in their goals and, on occasion, their methodology. Information Security deals with data, regardless of the form of that data (electronic, anecdotal or hard copy), whilst Computer Security deals specifically with ensuring the availability of computer systems and is not automatically concerned with the data those systems may host.

Best practice in Information Security goes beyond merely "locking down" a computer system. The subject encompasses all aspects of data protection and includes the management of printed material and standards of confidentiality in both written and spoken communication.

Information Security therefore includes, but may not be limited to, network and PC security policies, effective Data Management, Risk Management and Disaster Recovery planning. How an organisation approaches Information Security will determine how effective it is in protecting its data and increasing its productivity and efficiency.

For effective Information Security to be in place a culture of awareness and compliance must therefore also be in place throughout the organisation.

The ISO 27000 family of standards helps organisations keep information assets secure. using this family of standards will help an organisation manage the security of assets such as financial information, intellectual property, employee details or information entrusted to it by third parties.

ISO 27001:2022 - Information Security Management Systems - Requirements

ISO 27001:2022 is the best-known standard in the family providing requirements for an Information Security Management System (ISMS).

An ISMS is a systematic approach to managing sensitive information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

ISO 27001:2022 specifies the requirements for establishing, implementing, maintaining and continually improving an ISMS within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

An ISMS can thus be designed and implemented so as to help organisations of any size in any sector keep information assets secure.

Like other ISO management system standards, certification to ISO 27001 is possible but not obligatory. Some organisations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.

ISO 27002:2022 Information security, Cybersecurity and privacy protection – Information security controls

ISO 27002:2022 gives guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation's information security risk environment(s).

It is designed to be used by organisations that intend to:

select controls within the process of implementing an ISMS based on ISO 27001
implement commonly accepted information security controls
develop their own information security management guidelines

ISO 27003:2017 Information Security Management Systems - Implementation Guidance

ISO 27003:2017 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO 27001:2015.

It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.

ISO 27004:2016 Information Security Management Systems - Measurement

ISO 27004:2016 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO 27001.

ISO 27004:2016 is applicable to all types and sizes of organisation.

Burdikin.com can advise and assist in all aspects of Information Security Management to ISO 9000 standard. We will also offer stand alone guidance on implementing best practice in Information Security Management for those organisations unwilling or unable to seek full compliance with ISO 27001.

Return to top Home