How to Deal with ISO 27001

How to Deal with ISO 27001 – The ISO 27001 standard, part of the ISO 27000 family, deals specifically with protecting ICT systems.

What Do you Have to Do to Follow Her?

The non-strict order of action would be as follows:

• Narrow the focus: Define the scope, context, and stakeholders.
• Define security policy
• Determine the definition of roles and responsibilities and the active involvement of Management.
• Determine a risk management methodology. There are numerous methodologies, one of which is highly recommended in Spain, called Magerit (other tools are Octave and Cramm ).
• Analyze, classify and evaluate the entity’s risks and their association with the inventory of assets, either individually or associated with groups (processes). The Pilar tool is recommended.
• Determine which of the 114 suggested controls are applicable (according to Annex A of the standard) or if any additional rules are required. For this, it is necessary to prepare the so-called control applicability report (in English SOA ), justifying its decisions.
• Define and implement the appropriate mitigation controls.
• Determine the method of measuring the effectiveness of the controls to feed the Action Plan for the remediation of the breaches detected.
• Set annual safety goals (for future achievements).
• Implement review and audit processes of the implementation carried out.
• Incident notification
• And the last step would be to request a certification, which would consist of:
• Year 0. Initial Audit: a review of documentation and verification of its use.
• Year 1 and 2. Follow-up Audits
• Beginning of the Recertification cycle (three years)
• Year N. Recertification Audit
• Year N+1 and N+2. Follow-up Audits

What Benefits Does ISO 27001 Provide?

• It improves the trust of third parties (shareholders, customers, suppliers, business or production partners,…).
• Although it is often not a direct objective, improve efficiency is achieve indirectly by implementing a method of continuous improvement and, in some cases, justifies its implementation by itself.
• Establishment of a corporate security culture for the protection of systems and data.
• Commercial differentiation by being able to accredit a certificate that other competing companies do not have differentiates us positively.
• International alignment: To have relationships with international partners, accrediting an ISO 27001 certificate provides confidence that facilitates business relationships.
• It facilitates compliance with other cybersecurity regulations, such as the ENS.

Other Complementary Standards – How to Deal with ISO 27001

Lately, the cybersecurity truck is becoming overload with a multitude of regulations such as the ENS (National Security Scheme) for the Spanish public sector, RD 43/21 for critical or essential services, ISO 27701 RGPD for the privacy of personal data of citizens of the European Union, the ISO 20000 aimed at ICT service providers, the future DORA for the financial and insurance sectors and COBIT for the control of ICT governance, although more widely used across the pond.

Also Read: Business Process management