ISO 27001:2013 information security management system

Together with its added values such as the establishment of an information security infrastructure in the organization, forming of an information security team, preparation of an action plan for risk mitigation, improvement of existing information security conditions, creation of the required documentation and creation of information security awareness in employees, ISO 27001 Information Security Management System is a necessity for every company for the secure sharing of information.

An information security management system requires the assessment of all the information in your organization and a risk analysis of the deficiencies of this information and the threats it may face. The organization should choose a risk management method and prepare a plan for risk treatment.

For risk treatment, control objectives and controls should be chosen from the standard and should be implemented.

In accordance with the planning, implementation, control and prevention cycle, risk management studies should be continued until the security risk level of the information is reduced to a reasonable level.

ISO 27001 requires organizations to prepare risk management and risk treatment plans,  determine roles and responsibilities, draw up business continuity plans, prepare emergency response plans and record them during implementation. The organization should issue an information security policy including all these studies and train employees on information security and threats.

Information security management as a dynamic process in which the identified control objectives are measured and the conformity of the controls to the objectives and performance is monitored continuously can only be provided by the effective support of the management and the employees’ participation.

  • Classification of information
  • Assessment of information in terms of confidentiality, integrity and availability
  • Keeping the records
  • Management review
  • Certification risk analysis
  • Identification of controls based on risk analysis results
  • Documentation
  • Implementing controls
  • Internal audits

What is important regarding ISO 27001 is that it proposes a MANAGEMENT SYSTEM. ISO 27001 does not tell you how your computer will not get infected. It will not tell you how the hackers cannot leak into your computer. It tells you about total information security and how to manage information security as an “active process”.

  • Business continuity: It guarantees work for a long time. In addition, it improves the ability to recover in the event of a disaster and continue business as usual.
  • To be in peace with related parties: It ensures the trust of suppliers and customers as their information will be kept secure.
  • Information awareness: The organization becomes aware of the information they have and its value.
  • Protection of information: The organization determines its protection methods with security controls and protects the information by applying them.
  • Prevents legal scrutinies.
  • Enhances reputation.
  • Protects the information through a system, does not leave it to chance.
  • Provides competitive advantage.
  • Increases employee motivation.
  • It is necessary for compliance with the Customs Procedures and Trade Facilitation Regulation.

SZUTEST > System Certification > ISO 27001:2013