ISO/IEC 27001/27002 –
an effective approach for a
successful information security
management system

The ISO/IEC 27001/27002 standards provide a full-scale systematic approach to managing information security within your organisation. Although not a compulsory requirement, compliance or certification to the standard provides a set of best practices and serves as a blueprint to a well-established management system for information security within your organisation.

Main benefits
By complying to the standard, you will:

• Manage the integrity, confidentiality, and availability
  of information
• Have all the basic information security processes
  in place
• Identify and mitigate security gaps through a
  rigorous risk management process
• Provide confidence to interested parties

As the need for information security is ever-changing with a shifting threat landscape, adhering to a well-tested and globally recognised standard and implementing an information security management system (ISMS) accordingly, is essential for protecting your organisation’s valuable information assets.

Applicability of the standard
ISO 27001 provides a management framework for information security management system within an organisation, through a set of normative requirements and best practices for information security. ISO 27002 acts as a supporting document. While it is possible to gain certification to the ISO 27001 standard, the purpose of ISO 27002 is to act as guidelines for implementation of security controls pertaining to organisational, technological, physical, and people controls. As the standards are industry agnostic and widely recognised as best practice for an ISMS, they can be implemented across any organisation within both private and public sectors, regardless of the size. Similarly, they are also compatible with other management systems and frameworks like NIST CSF.

Implementing a robust Information Security Management System
The journey to compliance and certification is twofold – implementing an ISMS with the requirements from ISO 27001 as well as implementing applicable and organisation-specific security controls from ISO 27002.

The journey for your organisation starts by defining the scope for the ISMS. As the scope is decided, security objectives shall be defined. Performing a GAP-analysis in parallel to decide the effort aids in assessing the current security posture which your organisation holds. Through risk assessments and risk treatment plans, a management system can thereafter be created where policies, processes, and procedures are included.

Controls are implemented based on the result from the GAP-analysis and after defining the scope and current risk posture. Creating security awareness and training in information security is a vital part.

With the controls in place, the ISMS performance should be monitored and practices for management reviews should be defined to review the management system’s effectiveness and suitability. When the ISMS is fully developed and implemented, an internal audit is performed to assess the readiness of the overall management system.

How can Seadot Cybersecurity support your organisation?
Seadot Cybersecurity has vast experience in aspects related to information security, compliance, and certification. We can provide a one stop-shop for all concerns related to thoroughly implementing an effective ISMS.

At Seadot we can help you with:

• implementation planning and scoping
• identifying organisation-specific risks
• assessing current security posture and security objectives for the organisation
• identifying required and risk-based security controls to achieve security objectives
• implementation of security controls
• training and awareness activities
• internal audits ensuring the maturity level of the ISMS
• preparation for certification

With extensive knowledge and experience in the field, Seadot’s compliance experts can facilitate the steps needed to fulfil all necessary criteria and guidance for a smooth compliance journey.