aQb Solutions is proud to announce that it has been awarded the Certificate of Registration for operating the information security management system ISO 27001 (ISO/IEC 27001:2013) in March 2019.
ISO 27001 (ISO/IEC 27001:2013) is the international standard that provides the specification for an information security management system (ISMS). The Standard is designed to help organizations manage their information security processes in compliance with international best practice while optimizing costs. It is technology and vendor neutral and is applicable to all organizations - irrespective of their size, type or nature of the operation.
ISO 27001 (formally known as ISO/IEC 27001:2005) may be explained as a specification for an information security management system (ISMS). The ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
1. Define a security policy
2. Define the scope of the ISMS
3. Conduct a risk assessment
4. Manage identified risks
5. Select control objectives and controls to be implemented
6. Prepare a statement of applicability
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organization.
The 27001 standard does not specify any mandatory information security controls but provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
ISO 27002 contains 12 main sections:
1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development, and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance
Organizations are expected to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.