ISO/IEC 27001 is the basic international standard for the creation and operation of information security management systems in an organization. It is the most recognizable representative of the entire family of ISO 27000 standards, including over several dozen standards and sets of good practices. Its creators are recognized global institutions: the International Standardization Organization (ISO) and the International Electrotechnical Commission (IEC). On the basis of the international version, the Polish Committee for Standardization has published the national standard PN-EN ISO/IEC 27001. This article will present a short outline of what ISO/IEC 27001 is. Particular attention will be paid to the role and usefulness of the standard for Polish enterprises, including industrial.
There are at least 5 basic benefits of implementing ISO/IEC 27001 in a company:
1. Mapping the gaps in the company’s cybersecurity system
The process of implementing the standard, thanks to a systemic approach and a clear list of security features, allows to identify weaknesses of the existing cybersecurity system in the enterprise.
2. Transition from silos to the enterprise safety management process
From the CIO or CISO perspective, the implementation of the standard is an opportunity to properly embed individual technological and organizational solutions, as well as the activities undertaken, in the information security management process. ISO/IEC 27001 allows the introduction of a continuous process based on tested international good practices.
3. Fulfillment of legal requirements imposed on individual categories of enterprises in the national legislation
The National Interoperability Framework directly indicates that the requirements imposed on a public entity or a unit performing public tasks are deemed to be met in the case of implementing an information security management system developed on the basis of ISO/IEC 27001.
In the case of Key Service Operators indicated on the basis of the Act on the National Cybersecurity System, their main task was to implement a security management system in the information system used to provide the key service. In the light of the requirements concerning the characteristics of this system (Article 8, paragraphs 1-6), it can be assumed that basing the system logic in an enterprise on the ISO/IEC 27001 standard fulfills the objectives indicated by the legislator. At the same time, it should be emphasized that in the case of elements relating to the protection of the interface between IT and OT networks, it is necessary to supplement them with actions resulting from the ISA/IEC 62443-2-1 standard.
4. Meeting the tender requirements
According to Poland’s recent Public Procurement Law, the awarding entity may require in a tender that contractors meet the requirements of specific standards (Art. 116) 1. Taking into account the scope of the discussed standard, it can be indicated that companies that have implemented and certified their information security management system in accordance with ISO/IEC 27001 will constitute a group of desirable contractors, especially in the case of sensitive industries.
5. Building trust among customers and business partners
Information is often the company’s most valuable resource. At the same time, no company, nor any consumer, functions in a vacuum, therefore the threats and potential attack areas also result from which market partners are chosen by individual entities. The security of the entire supply chain is a high-level problem here, which in practice, in the everyday activities of enterprises, takes the form of trust that can be built, inter alia, by using internationally recognized standards such as ISO/IEC 27001.
The ISO/IEC 27001 standard defines the requirements for the creation, implementation and continuous improvement of an information security management system (ISMS) in an organization. It is designed to ensure the confidentiality, integrity and availability of information, which in turn can be essential to maintaining competitiveness, financial liquidity, profit, legal compliance and corporate image. In simple terms, information security management in an organization is achieved through properly conducted risk assessment processes and continuous risk management. The risk culture defined in this way and the concept of continuous improvement are implemented through a number of necessary activities, including proper identification of resources and the company’s environment; creation and application of appropriate policies and procedures; implementation of tailored security features, including technical and organizational solutions; assigning individual responsibilities to the management board and employees.
Full guidance on the implementation of ISO/IEC 27001 is described in a separate standard ISO/IEC 27002. By simplifying this process for the purpose of a brief presentation, there are five basic steps:
1. Planning
Conceptual work on, inter alia, which people in the organization will play particular roles in the implementation and operation of the ISMS. Importantly, it is necessary to involve the management staff in this process. Apart from CISO or CIO, it is ultimately the management who is responsible for the functioning of the system. At this stage, it is also necessary to identify the owners of systems and information in the organization who should have an active role in creating the ISMS. Without this, the implementation of the system may meet the resistance of personnel who work with individual system elements on a daily basis in a different way than planned under ISMS. In this step, as well as for further actions, you can use the so-called RACI matrix that defines the possible functions of a specific employee:
• Responsible
• Accountable
• Consulted
• Informed
2. Research
In this step, you should become aware of what the specific organization should protect. To do this, you need to map assets that fall into two basic categories: informational and other. The second category concerns assets that are used to store, process or transmit information, i.e. about end devices (e.g. laptop), software, physical office, but also employees or external services (e.g. cloud providers or marketing services). Next, the relationship between informational and non-informational assets needs to be determined in order to understand the relationships. For this purpose, for example, a matrix showing the relationships between two categories of assets can be used.
3. Risk assessment
In this step, it is necessary to evaluate the value of specific assets. Helpful in this process is, among others characterizing information assets in terms of basic attributes, i.e. security, confidentiality and availability. The assessment of value itself can be made using different value scales. A common scale is a simple triple breakdown into low – medium – high. The context of the company’s operation, which has a direct impact on risk assessment, should also be assessed. Threats specific to particular latitudes or market industries are an important element of the process. In the course of risk assessment, the existing safeguards – both technical, organizational and legal – should also be taken into account.
4. Creation, implementation and improvement of the information security management system
Based on the collected data, it becomes possible to create an information security management system. The complete list of safeguards to be implemented in accordance with ISO/IEC 27001 can be found in Annex A, Table A.1. Information security can be achieved by implementing an appropriate set of measures, which may include policies, practices, procedures, organizational structures and software functions. It is worth pointing out that, according to the standard, there is no partial implementation of a specific security – it is considered as a failure to apply the security. More details on how to build ISMS in practice can be found in the already quoted ISO/IEC 27002 standard. It should be noted here that the system itself assumes not only the implementation of individual security measures, but also the continuous management of information security, e.g. by controlling the implementation as well as monitoring the results. Continuous improvement of the ISMS in response to changing realities is an inherent feature of the described standard and system.
5. Certification
In order to confirm the implementation of the Information Security Management System in the company, you must undergo a certification process. It is based on the analysis of the facts and documentation. ISO/IEC 270001 certificates are valid for 3 years, with the proviso that they must undergo a surveillance audit every year.
—
If you would like to learn more, please follow our social media accounts for further updates when a new publication is available or sign up to our newsletter.
—
Tags: cybersecurity; cybersecurity for industry, cybersecurity for automation, cyberbezpieczeństwo, cyberbezpieczeństwo dla automatyki, cyberbezpieczeństwo dla przemysłu, SCADA, SCADvance, SCADvance XP, cyberbezpieczeństwo OT, cyberbezpieczeństwo infrastruktury, OT security, critical infrastructure protection, cyberbezpieczeństwo dla infrastruktury krytycznej
Fill in the form. Our experts will contact you to arrange individual tests.