ISO 27001 Certification 資訊安全管理體系認證DQS HK2022-01-18T16:00:37+08:00
ISO 27001 Certification
– Information Security Management System (ISMS)
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).
What is an ISMS?
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure.
This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization.
The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.
Certification to ISO 27001:2013 ISMS
Certification to ISO/IEC 27001 is adopted by more and more organizations in order to benefit from the best practice it contains to reassure customers and clients that its recommendations have been followed.
What Organizations can be Certified to ISO 27001?
The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
In reality, some may think that ISO 27001 can be applied to IT sector only, but it’s a misunderstanding. No doubt, a company in IT sector may be vulnerable to data leakage at a scalable size. Therefore, quite some companies in intensive IT operation have been the pioneers to go for ISO 27001 certification.
As time goes by, more and more companies in other industries realizes that the information security is no less important to them, so they are also going for Information Security Management System (ISMS) certification against ISO 27001.
How does ISO 27001 Work?
Most organizations have some information security controls in place. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention.
Security controls in operation typically address certain aspects of information technology (IT) or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole.
Moreover, business continuity management and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
ISO/IEC 27001 requires that the management to:
systematically evaluate the organization’s information security risks, taking into account the threats, vulnerabilities, and impacts;
establish and implement a comprehensive suite of information security controls and risk treatment (such as risk avoidance, reduction, or transfer) to address those risks that are deemed unacceptable; and
adopt a management process to ensure that the information security controls and residual risks meet the organization’s information security needs on a continuous basis.
Structure of ISO 27001:2013
The official title of the ISO 27001 standard is “Information technology — Security techniques — Information security management systems — Requirements”
ISO/IEC 27001:2013 has ten clauses and an annex, including:
Scope of the standard
How the document is referenced
Reuse of the terms and definitions in ISO/IEC 27000
Organizational context and stakeholders
Information security leadership and high-level support for policy
Planning an information security management system; risk assessment; risk treatment
Supporting an information security management system
Making an information security management system operational
Reviewing the system’s performance
Annex A: List of controls and their objectives
Controls within ISO 27001:2013
There are 114 controls in 14 groups and 35 control categories in ISO 27001:2013 standard:
A.5: Information security policies (2 controls)
A.6: Organization of information security (7 controls)
A.7: Human resource security – 6 controls that are applied before, during, or after employment
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4 controls)
A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
As you can see, the controls are not limited to IT related processes. For a particular organization, there may be certain controls not applicable to it.
Training as necessary, such as standard understanding training or internal auditor training.
Establishment of an ISMS, with optional support by a consultant.
Implementation of ISMS for a few months.
Internal Audit, with following improvement actions.
Initial Certification Audit by a Certification Body with accreditation, such as ANAB.
Stage 1Readiness Review is a preliminary document review of the ISMS, checking the existence and completeness of key documentation such as information security policy and objectives, Statement of Applicability (SoA) and Risk Treatment Plan (RTP), internal audit and management review results. It’s to judge whether the organization is ready for Stage 2 Audit.
Stage 2 Audit is a more detailed and formal audit. The auditors will seek evidence to confirm that the ISMS has been properly established and implemented in an effective way with Plan-Do-Check-Act (PDCA) approach.
Closure of NCs, in any from the Stage 2 Audit.
Issuance of Certificate with a validity of 3 years. After it, the certified organization can use the DQS certification mark for marketing purpose according to the defined rules.
Annual Surveillance Audits in the following 2 years to confirm that the organization remains in compliance with the ISO 27001 standard.
Recertification Audit well before the expiration of the certificate in the 3rd year, to renew the certificate with another 3-year cycle.
Introduction to GDPR
The General Data Protection Regulation (GDPR), EU’s new regulation for data protection will become effective from 25 May 2018. The GDPR applies to the handling of personal identification information of EU citizens. It not only applies to the organizations in EU, but also to the organizations, out of EU, processing and keeping above mentioned personal data.
The local organizations shall have a full and serious review on its practice in the handling of personal data in its business operation. Significant changes may be necessary to the operation related to personal data, from collection, storage, identification, analysis, usage, transferring, etc.
Depending on the impact and its due diligence, the offending organization to GDPR may be subject to a fine up to the higher amount of EUR 20,000,000 and 4% of its annual global revenue.
Key Terms in GDPR:
Personal data: “Any information that relates to an identified or identifiable living individual.”
Data controller: “The entity that determines the purposes, conditions and means of the processing of personal data.”
Data processor: “An entity which processes personal data on behalf of the controller.”
Key Requirements of GDPR
As compared to Directive 95/46/EC, the requirements are enhanced. The key points include, but are not limited to:
Territorial scope: Not limited to organizations within EU.
Purpose limitation: Collected for specified, explicit and legitimate purpose.
Data minimization: Adequate, relevant and limited to what is necessary in relation to the purpose.
Accuracy: Accurate and, where necessary, kept up to date.
Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary.
Integrity and confidentiality: Processes in a manner to ensure security.
Conditions for consent: Organizations must request permission using easy-to-understand terms. Assuming consent or requiring users to opt out is not allowed.
Right to access: Increased transparency by requiring controllers to provide data subjects with confirmation of data processing.
Right to be forgotten: Data subjects can request controllers to erase their personal data and stop distributing the data.
Automated processing: Data subject have right not to be subject to a decision solely on automated processing.
Data portability: Data subjects have right to receive their data upon request and to transfer that data to another controller.
Data protection officers: Some organizations, such as those with a primary purpose for processing personal data or sensitive information, shall appoint Data Protection Officer(s) — an employee or a third party.
Data breach notification: Within 72 hours after a data breach, the controller shall notify supervisory authorities and data subjects affected, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Data processors shall also inform the controllers for a known data breach.
Parental consent: Processing the personal data of children under age of 16 for online services shall obtain parental consent. Member states can designate a lower required age (down to 13) for consent.
Special categories of data: Some types of data have more stringent requirements for consent, such as the data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
Third countries: Specific rules for transferring data to third countries or international organizations.
Due diligence: Establish technical and organizational measures to demonstrate compliance to GDPR.
Subcontractor Control: Data Controllers shall ensure Data Processors have ability to fulfil the requirements of GDPR.
Certification: Voluntary data protection certification to show compliance to this regulation.
Relation between ISMS and GDPR
Relations Between GDPR And ISO 27001 ISMS
Confidentiality, integrity and availability of data.
GDPR applies only to personal data, while ISO 27001 has a broader scope on the information.
GDPR covers the right to be forgotten, data portability and the right to be informed about your personal data, which is not mandatory requirement in ISO 27001.
A management system based on ISO 27001 can support the achievement of compliance with GDPR.
Possible Solutions by the Organizations
Arrange management and front-line employees to attend GDPR related training courses.
Implement an Information Security Management System (ISMS) based on ISO 27001:2013.
Implement controls on outsourced processes
Implement regular internal and external audits on operations.
Improve the ISMS based on risk levels.
Relation with ISO 27701:2019 for Privacy Information Management
ISO 27701:2019 is an extension to ISO 27001 and ISO 27002 for privacy information management.
If personal data management is important to your business, you may consider to go for ISO 27701 PIMS certification together with ISO 27001:2013 ISMS certification, to address the significant risks and challenges from a large number of privacy information related regulations, like GDPR of EU, CPRA of USA, PDPO of HK, and PIPL of Mainland China.
ISO 27001:2013 資訊安全管理國際標準之制定為企業經營者及其員工提供了一套建立和確保資訊安全的系統管理模式。組織策略性決策應包含資訊安全管理。
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.