hurda maden

An information security management system (ISMS) is an essential part of any business that deals with sensitive information. ISO 27001 is an international standard which makes implementing an effective ISMS as thorough and efficient as possible. The process for becoming ISO 27001 certified is not difficult, but it must be done correctly to achieve the best results.

 

The first step is to assign project responsibility. Someone will need to oversee the entire process to insure targets are met in a timely and orderly fashion. Usually the project head will be a senior member of management with ties to the IT department. In other cases he may be someone in the company security department or even and outside consultant brought in specifically for the project. The project head will delegate various portions of the project to the appropriate people within the company structure.

 

With project assignments in place, the team must turn its attention to defining current information security policy. This assessment includes how different departments handle information security, the specific protocols in place for dealing with security incidents, and whether or not current information security policies are uniform across the company. A published report should conclude this phase in order to allow the results to be viewed by the entire team and company management.

 

Next, the scope and objectives of the ISMS must be determined. The team will analyse the different types of information that need to be secured, as well as all company departments that deal with that information. In a tool and die environment, for example, machine operators on the shop floor likely don't deal with sensitive information. The ISMS policies need not be applied to them or their direct low-level managers. One of the keys to a successful implementation of ISO 27001 standards is to keep things as efficient as possible.

 

The final step for the project team is to develop security policies, using the ISO standards, that will meet the scope and objectives set forth in the previous phase. This may require expanding current security policy or scrapping it and starting over. The team should be prepared to make modifications to their own proposals as advised by those who must implement the policies.

 

Once the ISMS has been fully implemented, an audit is conducted by an accredited certification agency. The audit will include looking over all published reports and paperwork compiled during the project. Therefore, it is essential that all care be taken in producing comprehensive and accurate reports. The auditor will examine new and modified policies, their implementation and defectiveness, and the standards put in place to accommodate changes in the company's business. If all is in order, and the company passes the audit, certification is issued. If not, alterations are made by the team and a second audit is scheduled.

 

Upon receiving certification, the effectiveness of any ISMS is dependent upon the company's willingness to stick with the security policies and standards. Periodic follow-up audits are performed, usually on an annual basis, to insure certification compliance.