ISO 27001 tells us what has to be done for risk identification and management but not how. How part will be dealt in ISO 27002.
ISO 27000 is a suite which has several modules , below are a few of them.
- ISO 27001 – Information security management system (ISMS) specification
- ISO 27002 – Controls
- ISO 27003 – Implementation of controls
- ISO 27004 – Metrics for measurement
- ISO 27005 – Risk management
- Identification of bussiness risk
- Addressing the idenified risks in a disciplined way
- Effective security and compliance management
- Ensuring CIA
The key thing in ISO 27001 is to have a ISMS (Information Security Management System) in place.ISO 27001 defined guidelines to set up ISMS.Overall it helps to put the bussiness in order.
ISO is not a prescriptive conformance, It is a not a one size fit all. It has been designed in a way that it can be applied to any organisation.
Example : If standard prescribes that back up needs to be taken every 24 hours. For some organisations the frequency is too low but for some it may be too much.
Y do we NEED ISMS..??
So that risk cam be Gauged, Monitored, Controlled and managed in an efficient way.
4 phase approach to implement ISMS
- Involve management
- Define scope
- Set up ISMS policy
- How risk will be measured and treated (high,med, low)
- Set controls
- Implement the above
- Spread awareness
- Monitor the above
- Perform internal audits
- Take corrective and preventive measures