ISO 27001 and the ISMS (Information Security Management System)
The Cyber-Attack carried out in October 2017 against the American multinational Equifax, which specialises in credit rating, resulted in the massive theft of loan data and data relating to the creditworthiness of millions of customers around the world. This attack is seen as a major turning point in the appreciation of IT security as an integral part of running a business, whatever its size or purpose. Indeed, the development of an Information Security Management System (ISMS), as a set of procedures and security policies integrated into the operation of organisations, is a major bulwark against the prevention and management of IT security incidents.
What is a ISMS ?
An ISMS (Information Security Management System) refers to the set of policies and processes designed to manage security and mitigate risks, particularly those relating to information security. An ISMS is therefore a management system that makes it possible to define actions (technical and organisational) to achieve a set objective. (1)
What is the role of an ISMS?
The development of an ISMS is an essential security approach based on the principle of “defence in depth”, with priority given to the use of several control mechanisms. It ensures that systems are adequately protected by recommending the implementation of a wide range of parameters essential to IS security. These recommendations, far from the strictly technical imaginary associated with cybersecurity, include measures of a technical nature (data encryption, installation of antivirus software, logging, etc.) as well as organisational measures (human resources security, project risk management, supplier relations, etc.). An ISMS is therefore an all-encompassing approach to IT security deployed throughout an organisation’s ecosystem.
The 4 security criteria of ISO 27001
The ISO/IEC 27001 standard, and the ISO/IEC 27002 standard on which it is based, developed by the International Organisation for Standardisation (ISO), constitute reference frameworks to be deployed to develop and maintain an operational ISMS.
ISO/IEC 27001 is an international standards framework that defines the requirements for implementing an effective ISMS. It is part of a proactive approach and is based on 4 essential criteria for IS security: availability, integrity, confidentiality and traceability of data and services. A final underlying compliance criterion may also be added, particularly in terms of personal data protection. Following a detailed initial audit, the standard requires the implementation of an Information Systems Security Policy (ISSP) tailored to the organisation. This brings together a set of procedures and policies covering various technical and organisational aspects that must be implemented in order to be certified as compliant with the ISO/IEC 27001 standard. One of the advantages of this standard is that it requires organisations to carry out regular audits, enabling continuous monitoring of security. Compliance requires the assistance of certified professionals who will help you draw up and implement your security documentation.
What is the difference between ISO 27001 and ISO 27002?
ISO/IEC 27002 complements ISO/IEC 27001 by providing a comprehensive directory of IS management best practices and a clear organisational framework for IS security. With 114 (2013 version) or 93 (2022 version) measures covering 4 security themes for ISMSs, it does not lead to certification but is more akin to an IS security guideline. As such, the measures proposed in the ISO/IEC 27002 standard should be implemented following a risk analysis to address the security weaknesses identified by the assessment. The relevance of this standard lies in its adaptability and ease of use to meet the specific needs of organisations.
These two standards complement each other to enable security measures to be specifically adapted to the context and purpose of an organisation. They form a foundation for the entire family of ISO/IEC 27K standards, which cover all the prerequisites for developing an ISMS. It should be noted that the ISO/IEC standards are not incompatible with each other, but that they provide a global overview of the requirements and measures necessary for information security, both for requesting organisations and for cybersecurity professionals.
What are the prerequisites for ISO 27001 certification?
If an organisation wishes to apply for ISO/IEC 27001 certification, it must first work with a professional to implement the requirements of the standard. To obtain the certificate, applicants must approach a certification body accredited by the Comité Français d’Accréditation (COFRAC), which is responsible for ensuring their impartiality. The certification bodies carry out a detailed initial audit of the applicant’s information system and, if it meets the requirements of the standard, issue an ISO/IEC 27001 certificate valid for 3 years. An annual follow-up audit is mandatory to ensure that the certified party is keeping its ISMS up to date.
In more concrete terms, these standards ensure that data subjects and users enjoy enhanced protection of their data. For example, ISO/IEC 27001 is one of the certifications required of all Health Data Hosts (HDS). The HDS standard for health data controllers requires, among other things, full implementation of the ISO/IEC 27001 standard and the ISO 20000–1 standard for service quality management systems. This must also be accompanied by a process to ensure compliance with the RGPD, as well as compliance with certain controls in the ISO27018 standard and the specific requirements for HDSs established by the ANSSI. ISO standards are therefore not only necessary for the implementation of an ISMS in professional organisations, but also a guarantee of protection for your sensitive personal data.
If cybersecurity certification standards are sufficiently adapted to the size and purpose of organisations, they will play an increasingly important role in the long-term viability of tomorrow’s businesses. For example, the growing development of cyber-insurance offers will lead organisations to demonstrate their efforts in this area, since insurance policies will require a sufficient level of security in relation to the risks involved in the future policyholder’s activity. For example, the implementation of an ISMS, which we have seen as an all-encompassing approach to IS security, could become a prerequisite for taking out insurance. These normative prerequisites will also be a guarantee for insurers, as they will help to counteract the phenomenon we are seeing today of IT security being neglected on the pretext that the organisation is insured.
Continuous improvement of the ISMS (PDCA)
The ISMS continuous improvement process follows the DEMING model, Plan-Do-Check-Act (PDCA).
- Plan: this stage involves gathering the information needed to identify security vulnerabilities and assess the risks. It is on this basis that the organisation’s security processes and policies are defined.
- Do: this second stage consists of applying the policies developed previously.
- Check: this involves monitoring and measuring the effectiveness of the processes put in place and evaluating the results.
- Act: this final stage involves improving existing processes, eliminating them or developing new ones based on the results.
To conclude
Thus, the standards accompanying the implementation of ISMS enable organisations to enjoy a wide range of benefits over the long term by securing the trust of users, using cybersecurity as a marketing asset and securing the organisation’s assets to ensure its resilience.
Sources :
(1) : “Le SMSI : comment gérer la sécurité de l’information dans l’entreprise ?”, Trustpair, le 13 septembre 2021.
About CyberSecura
CyberSecura is a Grenoble-based company providing consultancy, services and support for professionals in cybersecurity and GDPR regulatory compliance.
Comprising experts in every facet of these fields, CyberSecura has been working since 2017 on securing infrastructures, software or mixed digital products, business processes, as well as the governance of the protection of personal data used.
CyberSecura’s customers range from large corporates to small organisations in both the private and public sectors, and it offers support solutions designed specifically to improve security and compliance for very small businesses, SMEs and small local authorities.
