ISO 27001

The efforts made by companies in order to address the problem of information security, in relation to the risks leading to loss of their confidentiality, integrity or availability; they have led them to increase their investments every year to reduce exposure levels to risk.

These investments are turned into projects that range from a technological implementation, which constitutes a specific control for information security, to projects aimed at defining and implementing security models that allow continuous management of a strategy on information security, and that must be implemented and improved over time.

What is ISO 27001?

The international standard ISO/IEC 27001 has been presented as a model for the establishment, implementation, operation, monitoring, review, maintenance and improvement of an information security management system. A priori, this indicates that a formal framework for managing information security of companies can be generated. It is interesting to go to the basics and ask: What is information security? What does it mean to manage information security?

Information security is defined by ISO/IEC 27001 as: “the preservation of confidentiality, integrity and availability of information; it can also involve other properties such as: authenticity, traceability, non-repudiation and reliability.” Otherwise, in a practical sense and as an element of business value, it can be defined as: “the protection of information against a series of threats in order to reduce damage to the business and increase its opportunities and profits.” This last definition strongly suggests that information security is a strategical and business matter which should be addressed by senior management.

In this sense, managing is coordinating and directing a series of activities along with available resources, for achieving certain objectives; which implies primarily broad and strong interactions among the environment, structures, processes and products that are desired to obtain.

Taking into account the above, we must recognize that information security management requires a strategy aligned with the business and its objectives, it requires resources and a set of activities coordinated by a security company that extend throughout the whole company, from senior management to end users.

This model is a proposal for companies to control and run their actions and decisions regarding the improvement of their information security, in order to have a model consistent with the business nature and aligned with its objectives. A set of procedures is presented which companies should define and implement for getting ahead in the maturity of their information security model, based on:

  • Information assets.
  • Information security risks.
  • Information security incidents.
  • Compliance.
  • Business continuity.
  • Change and information security culture.
  • Information security strategy.

For each step, its definition is presented and its relationship with each of the stages of the continuous improvement cycle (Plan, Do, Check, Act.) The relationships and dependencies existing among them are also presented.

In this sense it is important to go beyond having regulatory requirements and complying with an international standard, in order to present the practical elements that allow companies to understand and measure the efforts that need to be carried out to manage information security in a systematically.

The international standard ISO 27001, together with all the rules making up its family, generate all the necessary requirements to implement an Information Security Management System quickly and easily. In addition, the Software for the ISO 27001 standard provides a solution to all the arising issues when implementing an Information Security Management System in a company.