ISO 27001 requirement set out in standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
How is the standard structured and interpreted for businesses or Organization?
How to get started with ISO 27001:2013?
There are 8 key ISO 27001:2013 clauses that you require to cover to achieve conformance to ISO 27001 requirements for certification. You might find it lengthy and hard to interpret when reading the standard.
Below is the outline for each clauses for your easier understand:
1. Certification Scope
This is where you need to define Information Security Management System (ISMS) scope of coverage for your organization.
When The ISO 27001 requirement is implemented, it should be regularly reviewed in order to identify any opportunity for improvement in the operations.
2. Context of the Organization
- Organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome of the ISMS.
- Organization shall determine interested parties & the requirements of these interested parties
- Organization shall determine the boundaries and applicability of the ISMS to establish its scope
Top management shall demonstrate leadership and commitment:
- ensure ISMS policy & objective is established
- ensure ISMS requirements integrated into organization process
- ensure resources for ISMS available
- communicate importance of ISMS
- ensure ISMS achieve intended outcome/objective
- promoting continual improvement
- establish information security policy (include objectives, commitment & continuous improvement)
- ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated
- Organization need to determine the risks and opportunities, action & how to address the risk and opportunity, then evaluate the action
- establish risk acceptance criteria & criteria for performing information security risk assessments
- Define, apply and documented an information security risk assessment process
- Identify, analyses and evaluate the information security risks & it’s risk owner
- Define, control, apply and documented an information security risk treatment process
- establish and documented information security objectives at relevant functions and levels
- Determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS
- Determine, ensure, evaluate the necessary competence of person doing work
- Persons work under the organization shall be aware of information security policy
- Organization shall determine the need for internal and external communications (what, when, who, to whom
- Documented information shall be controlled, identification and description .
- Organization shall plan, implement and control the processes needed to meet ISO 27001 requirements, and to implement the actions determined
- Organization shall perform information security risk assessments & information security risk treatment plan, at planned intervals & retain documented information
7. Performance Evaluation
- Organization shall determine – what, how, when, who needs to be monitored and measured; when & who the results from monitoring and measurement shall be analysed and evaluated
- Organization shall conduct internal audits whether the ISMS is conformed to organization’s requirement and ISO 27001 requirements & effectively implemented and maintained
- Top management shall review the organization’s information security management system to ensure its continuing suitability, adequacy and effectiveness
- Organization shall react (evaluate, take action, review effectiveness) to the nonconformity when a nonconformity occurs