For developing an ISMS, the first step is to define the scope of the ISMS in terms of the organisational characteristics, business, its location, assets, and technology, which includes any interfaces with other systems and organisations. The scope of an ISMS may include the whole organisation or specific and identified sections of an organisation [AHK13]. It can be targeted towards a particular type of data, such as customer data, or
it can be implemented in a comprehensive way that becomes part of the organisation’s structure. As a part of the overall management system, an ISMS consists of interrelated or interacting elements of an organisation to establish policies, objectives, and processes to achieve objectives.
To achieve organisational and ISMS objectives, an appropriate risk
assessment is established based on the threats and assets within the scope of the ISMS, vulnerabilities, and impacts on an organisation. Based on the risk evaluation process, the control domains and controls for the treatment of risks are selected. The control domains, controls selected and the reasons for their selection are also documented. Then, the next stages of implementing, operating, monitoring, maintenance and improvement
of the ISMS are started. ISO 27001 describes best practices for developing an ISMS as one of the standards of the ISO 2700x family, which helps organisations keep information assets secure.
ISO 27001 provides a systematic approach, which ensures the Confidentiality, integrity, and availability of corporate information, applicable to all types and sizes of organisations. ISO 27001 main components are processes and policies [PL14] to help organisations safeguarding their information and physical assets in a structured manner. ISO 27001 is also the main reference standard for complying with various international laws and regulations. This compliance is based on organisational business policy, strategy, and contractual obligations. Especially, in the case of litigation or regress claims (on the grounds of inadequate information security), ISO 27001 certification could be beneficial [Int13]. For example, ISO 27001 can help management to prove an acceptable level of data protection, in case of security incidents [FVB08].
ISO 27001 provides awareness to protect against the information security vulnerabilities, which includes the requirements for continual improvement, as well as corrective and preventive action. ISO 27001 has a cycling process for developing, executing, monitoring and verifying security controls, which are flexible based on organisational information security requirements. Besides that, ISO 27001 does not mention any method for collecting, constructing and documenting the required information, which are all necessary steps for implementing this standard.
For implementing an ISMS compliant with ISO 27001, the scope of implementing ISO 27001 in an organisation and the ISMS policies are defined as a link between management and the information security activities. Afterwards, a risk assessment methodology is selected to define the rules for identifying the assets, vulnerabilities, threats, and impacts
to decrease the risks that are not acceptable to the organisation. Then, a document is provided to describe the selected controls that are applicable to the organisation, the reasons for such decisions, and a description of how to implement selected controls [BHSS14]. Afterwards, the effectiveness of these controls should be measured to assess the fulfilment of objectives of the whole ISMS and each applicable control. For implementing the controls and policies, the people should be trained to be able to perform as
expected [HP06]. At this stage, the ISMS policy, controls, processes, and procedures are operated, implemented and monitored based on the objectives for the controls and the measurement methodology, and then the internal audits are performed. Subsequently, the management should be informed and make decisions about the key issues related to ISMS. The most important step is management support for budget and human resource allocation because ISO 27001 is established based on responsibilities, planning, and requirements. Then, ISO 27001 requires systematic corrective and preventive actions to maintain and improve the ISMS
The organisation should assign responsibilities for implementing information security objectives, such as internal and external staff for ISMS communication. The organisation shall determine who measures implementation and effectiveness of the ISMS and analyse the results of this evaluation afterward with clearly defined responsibilities.
Adopting ISO 27001 involves almost all employees and different sections of an organisation, and several roles are required for developing this Standard. The CISO (Chief Information Security Officer) should define policies, procedures, and guidelines based on the organisational security requirements. The CISO should ensure the security of data, applications, and data communication systems [RMC07, Bre07, BMG01]. Senior
management plays an important role in motivating employees to follow policies, as compliance with the selected information security standard is one of the main concerns of senior management [MB82]. Accordingly, senior management should consider organisational culture to guide employees’ behaviour in a way to match the desired information
security culture [ZM13]. The management decisions for developing ISO 27001 is significant [BSKF11], such as approving selected controls and confirming essential resources.
ISO 27001 precisely mentions the involved people such as relevant external parties to communicate information security policies, and contractors to understand their responsibilities [Int13]. Selected internal auditors are also required to conduct internal audits at planned intervals to ensure objectivity and fairness of the audit process. Data operators or end users are the main executers of ISO 27001 rules and policies who have access to
information and use safeguards as the first defence layer of an organisation, for example, employees, third parties or contractors [HP06]. ISO 27001 also takes stakeholders into account to ensure an adequate level of risk management process [Bre07], whose legal system and contractual requirements should be determined.
The next POST introduces the history of ISO 27001 and the most important standards in ISO 2700x family of standards.