What is ISO 27001 and ISMS?
ISO/IEC 27001 standard and Information Security Management System (ISMS)
ISO/IEC 27001 is an international standard that defines the requirements for an Information Security Management System. As it is a relatively long name, the abbreviation ISMS (Information Security Management System) is often used internationally, derived from the English letters.
The ISO/IEC 27001 standard requires the consideration of information security risks, the selection and implementation of preventive and mitigating controls and, of course, the appropriate documentation of the choices made. The objective is to develop a management system that ensures information security and helps prevent the occurrence of information security leaks or other serious incidents.
The use of the ISO/IEC 27001 standard is quite widespread among software companies, and especially among cloud service providers. Developing and certifying a management system that meets the requirements of the standard helps to demonstrate to customers that a company has a system in place that meets international requirements and helps to ensure that the information entrusted to that company or managed by the technical solutions provided and developed by that company remains secure. The aim is to reduce the risks associated with information security.
The content of ISO/IEC 27001 is not complex in itself, but requires a much greater amount of work compared to ISO 9001 and similar standards. For those familiar with other management systems standards, the structure of the standard will already be familiar. However, what makes this standard special is the normative Annex A of the standard, which brings together the requirements related to information security measures. In the ISO/IEC 27001:2022 version, these requirements are divided into 4 groups:
- 5 Organisational controls
- 6 People controls
- 7 Physical controls
- 8 Technological controls
Whether and how to apply these requirements in your organisation is the main focus of developing an information security management system. The choices made must be properly documented (in the form of policies, procedures, etc.) and, of course, the management system must be continuously improved. TJO Konsultatsioonid can assist you in the development and documentation of your information security management system.
ISO/IEC 27001 training
It is possible to order various training courses related to the requirements of the ISO/IEC 27001 standard from TJO Konsultatsioonid. We regularly conduct public training courses on “Information Security Management System compliant with ISO 27001:2022“. In addition, it is possible to order:
- training on the ISO 27001:2022 compliant information security management system as in-house training;
- a free short presentation on the requirements of the standard for a first overview (for the management of organizations interested in implementing the standard).
ISO/IEC 27001 management system consultation
One of our core services is the development of management systems. The usual aim of a consulting project is to make the organization’s work more efficient and transparent. However, depending on the client’s wishes, the aim may also be to bring the information security management system to a level that is compliant with the requirements of the standard and ready for certification by an internationally recognized certification body.
The ISO/IEC 27001 consultation project is usually divided into four phases:
- an analysis of the current situation and needs of the organisation.
- development of solutions and an ISO/IEC 27001 compliant information security management system.
- implementation of the updated management system
- launching an audit programme
The content and scope of the consultancy project will depend on the current level of the system to be developed and the client’s requirements. Read more about the information security management system development project.
Carrying out an internal audit of the information security management system
We are ready to carry out internal audits of the information security management system as a service, see more about carrying out internal audits of the management system as a service. Of course, we are also prepared to carry out internal training for the internal auditors of the information security management system as internal training.
For more information
If you need more information about the ISO/IEC 27001 standard, feel free to contact us! We are ready to assist you with the appropriate training, consultancy services and materials. Be sure to also read the articles related to quality management in our “Useful Information” section.