How to Implement Information Security Based on ISO 27001
Making headlines can be good for business, but being in the news for failure to secure information can be the public side of a very personal problem. Even before computers, business had information to protect. We would recognize their methods where secure messages were sent in private codes by courier, papers were locked up in vaults and discretion was expected. As we are charged with more information, it is helpful to follow a guide rather than try to come up with our own information-security methods. The International Organization for Standardization (ISO) publishes an information-security management system standard as ISO 27001.
Other People Are Reading
Instructions
-
-
1
Determine what kinds of information your business is keeping that needs to be secured. Besides personnel information at human resources, do you have confidential customer information or trade secrets? Before you implement an information-security method, be sure to have a handle on the magnitude of the undertaking before you as well as your potential business risk from an information-security failure. This will allow you to plan enough man hours to ensure effective implementation of ISO 27001.
-
2
Acquire the ISO 27001 standard from either ISO or your national member organization (in the United States, it is ANSI). While you may be able to retrieve some checklists and information from other sources, it is helpful to have a complete copy of the most recent version of the standard. In addition, you may want to acquire the ISO 27003 detailed guide to implementing the information-security management standard described in ISO 27001.
-
-
3
Review the list of requirements in the ISO 27001 with your current information-security practices and your information-security needs in mind. From the review, assess where changes need to be made to your information-security management system and where your practices and policies are meeting the standard.
-
4
Revise policies and practices for information security that do not meet ISO 27001 standards. Ensure that your specific business risks are kept in perspective with an organization-specific list of security objectives and requirements.
-
5
Train your employees on your new information-security management system. Ensure that security objectives, practices and policies you developed based on the ISO 27001 requirements are accessible to all employees with a responsibility for information management.
-
6
Achieve certification. Once your business has implemented the ISO 27001 information security-management system standard, you can announce your achievement with certification. Internal or external audits can also ensure your business stays in compliance with a robust security-management system standard.
-
1
References
Resources
- Photo Credit data security image by dinostock from Fotolia.com
