ISO 27001 is focused on data assurance, confidentiality and integrity, as well as on the systems responsible for managing information security.
This international standard was created to provide a model for establishing, implementing, monitoring, reviewing and maintaining an information security management system (ISMS).
One focus of the process for information security management presented in this standard is to encourage its users to emphasize the importance of:
It must be taken into account that within the ISO 27001 standard there is annex A, which is essential to implement since it is the normative one and within it there is everything related to the information security controls, which are fundamental because they help in the protection of the information of the companies, in addition, putting them into practice is mandatory.
In Annex A of this standard there are a total of 114 security controls. Each organization must choose which ones apply best to their needs and it is important to understand that it is not only limited to the technology area, but also involves departments such as human resources, financial security, communications, among others.
In 2013 this change was made, as previously in the 2005 standard there were a total of 133 controls and the standards for preventive actions were eliminated, as well as the requirement to document certain procedures.
With a technological solution such as Pirani and its information security module, companies can comply with ISO 27001, a certifiable standard. For example, with this module you can manage in a simple way the information assets that the organization has, know their level of criticality and also manage the risks and incidents to which they are exposed by not performing an adequate information security.
The controls are mandatory depending on the applicability in each organization. Those in charge of information security are the ones who must define which ones are going to be implemented to ensure data protection.
The controls are mandatory depending on the applicability in each organization. Those in charge of information security are the ones who must define which ones are going to be implemented to ensure data protection.
It is essential to generate training on this standard in order to establish the appropriate controls in the management of information security.
Additionally, the ISO 27001 standard requires something more about security controls, so it is necessary to carry out the following actions:
Therefore, attention to Annex A and adequate training on the standard are essential to establish the relevant security controls.