ISO / IEC 27000: 2018 provides an overview of information security management systems (ISMS) and terms and definitions commonly used in the Information Security Management System ISO / IEC 27001 standard family.
Designed for all types of organizations, from multinational enterprises to small and medium-sized enterprises, the new version of February 2018 is equally valuable for government agencies or non-profit organizations.
The 27000 family has more than a dozen standards. The newly published ISO / IEC 27000 provides an understanding of how standards come together: their scope, roles, functions and their interrelation.
The ISO / IEC 27001 community will find this standard useful as it combines all the basic terminologies used by other standards in the ISO / IEC 27000 family.
Preserving the knowledge of today's business environment, where technology and communication are developing at a stunning speed, has become even more important. Information is of great importance for an organization to continue its activities. It is a serious challenge to identify security risks and threats to information assets and to check open points in the system. Establishing information security and ensuring the continuity of the controls will depend on establishing the security principles and determining the management processes correctly.
In today's business world information security it is considered to be a serious risk, and it is necessary to define and realize consistent information security controls, but also to bring risks to acceptable levels, to establish certain standards in the organization.
ISO / IEC 27001 is the only international auditable standard that defines the requirements of the Information Security Management System (ISMS). It is designed to allow selection of adequate and proportionate safety audits.
International Standards Organization The ISO / IEC 27001 Information Security Management System is a set of standards that help protect and manage valuable information assets. It is the only international system that defines the necessary standards for information security. This system is designed to ensure that adequate and proportional safety controls are selected.
In the International Organization for Standardization (ISO), standard preparatory work is generally carried out by technical committees. The ISO 27000 standards have also been prepared by the Joint Technical Committee established by the International Standards Organization and the International Electrotechnical Commission.
International Technical Technical Commission (IEC - International Electrotechnical Commission) Established in 1906 and is preparing international standards for electronic and similar technologies. The Turkish Standards Institute (TSE) is a member of this commission. The main objective of IEC is to increase the quality of products and services globally, to contribute to human health and safety and to support the protection of the environment. ISO is working on issues outside the scope of the International Electrotechnical Commission.
ISO 27001 Information Security Management System The companies that have set up, analyze the information infrastructure and analyze the possible attacks and dangers on these assets and decide what to do if these dangers occur. This is the most important system among integrated management systems for large scale organizations, especially those trying to acquire corporate identity.
The ISO 27001 Information Security Management System will provide the organization with great advantages in terms of identifying the risks to protect information and identifying measures to eliminate or minimize these risks.
There is no sector constraint to implement this system. Organizations in every sector can establish an Information Security Management System if they feel the need to protect information. However, the protection of information in the information technology sector is more important especially in banks and financial institutions, health institutions, public institutions.
ISO 27000 standards are actually made up of many standards. Here are some of these standards:
- ISO 27001 Information Security Management System Standard: This is the basic standard of the Information Security Management System.
- ISO 27002 Code of Practice Codes for Information Security Management System
- Customization Guide for ISO 27003 Security Management System
- ISO 27004 Scales, Reports Standard
- ISO 27005 Information Security Management System Risk Management Standard
- ISO 27006 Standard for Information Security Auditing and Certification
Today, Information Security Management is a system that should be managed as a whole in order to include all the human resources in the organization, especially the top management, information systems and business processes.
We said that the ISO 27001 Information Security Management System Standard is the main standard of the system. Establishment and certification of Information Security Management System in organizations is carried out on this standard.
The main objectives of this standard are:
- Identifying possible information security vulnerabilities of the organization, revealing threats against information assets and systematically controlling these threats.
- Identifying controls to ensure the security of information assets at risk, ensuring that these controls are performed, and keeping possible risks at acceptable levels.
- To ensure continuity in the information security controls to be performed in this way and to determine and implement management processes for this purpose.
The ISO 27001 Information Security Management System Standard was published in 2005 by the International Standards Organization. The full name is ISO / IEC 27001: 2005 Information Technology Security Techniques Information Security Management Systems Terms. It is generally known as the ISO 27001 standard.
The ISO 27001 standards cover the organizational structure, policies, planning activities, responsibilities, activities, application instructions, business processes and resources of an organization that establishes this system.