ISO defines an ISMS as a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
An ISMS is focused on securing sensitive information (written, spoken, electronic) and using a systematic approach to ensure it remains secure. An ISMS is a risk-based management system which applies to people, processes and technology.
ISO 27001 is a unique standard. While it includes the common management system benefits of an ISO management system for leadership, resources and improvement, it also requires the planning and the actions for identification and remediation of risk to the business, the information being protected, the people, processes and technology. At Radian Compliance, we say that the ISMS begins and ends with Risk.
What makes this standard unique is the inclusion of an Annex A. Annex A details 11 control domains (for a total of 114 controls) to use for mitigating the risks (risk treatments) an organization identifies. The Annex A table is further supported by ISO 27002. This document provides extensive guidance on interpretation and implementation of the control with examples for different industry or risk level. Both the requirements (ISO 27001) and the guidance (27002) documents should be purchased together to maximize the value of information.
— POSTED APRIL 8, 2022 —
Update to ISO 27002:2022
ISO has made significant changes to the document that supports the Annex A table in ISO 27001:2013.
ISO 27002:2022 was recently released to rework aging terminology and support hybrid environments in relation to information security. It is very important to note that ISO 27002:2022 contains the “shoulds” as a way to further explain the intent of the security controls identified in the Annex A table found in ISO 27001:2013. CLICK HERE to review a summary of the changes.
Please note: The current guidance document (ISO 27002:2013), is still the authoritative supporting document.
Why implement and certify to an Information Security Management System (ISMS)?
- Identify risks and create effective risk treatment plans.
- Respond to the numerous security questionnaires of clients and partners with a standardized set of Information Security Controls.
- Engage the entire organization in the practice of information security with ownership and responsibility of process, risks and monitoring of controls.
- Reduce risk to third party/hosted services by creating a structured supplier risk management program.
- Become rapidly compliant with new information security regulations/mandates by having an ISMS that is continually monitored and reviewed for effectiveness and sustainability.
- Be proactive instead of reactive to potential threats and vulnerabilities.
- Provide additional privacy controls to meet evolving regulatory requirements by including ISO 27701* to the ISMS.
* The Radian Team also supports ISO 27701 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. This Privacy Information Management System (PIMS) published in 2019 provides a framework which supports an organizations ability to protect personally identifiable information (PII) and meet ever evolving regulatory requirements. Radian’s knowledgeable team will assist in implementation and internal audit should an organization need a dual marked certification of ISO 27001/ISO 27701. Please note that ISO 27701 alone is not able to receive an ISO certification. An organization can add to an existing ISO 27001 system for a “dual” mark certification.