ISO/IEC 27001:2013 Information Security Management System


ISO/IEC 27001 is an internationally recognized standard, which can be applied / implemented to any organization (i.e. commercial enterprises, government agencies, non-profits, NGO’s, etc.), all sizes (from micro-businesses to huge multinationals). production or services industries. It also covers all the industries or markets (i.e. retail, banking, defense, healthcare, education and government or private etc.). It was drawn up by the International Organization for Standardization (ISO), with an intent to set international requirements for Information Security Management System.

According to the definition by the International Organization for Standardization(ISO), “ISO/IEC 27001 standard is developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the Information Security Management System (ISMS)”.

In today’s world of business, information is a life support system for any organization. But organizations system for securing the information is exposed to various kind of security threats i.e., computer assisted fraud, spying, damage or destroying of data, damage to property, fire or flood. The most common are computer viruses, hacking etc., which have become more common and increasingly sophisticated.

ISO/IEC 27001 is a determination for an information security management system, a framework of activities and policies concerning the management of information risks. ISMS is utilized by the organizations to identify, analyze and address its information risks and guarantees that the security arrangements are adjusted to keep pace with changes to the security dangers, vulnerabilities and business impacts

ISO 27001 ISMS –  Revision History

Year 1992 – Code of practice for security management

Year 1995 – British Standard Institute (BSI) BS 7799

Year 2000 – ISO/IEC 17799

Year 2005 – ISO/IEC 27001:2005 (Information security management system) Published

Year 2013 – 1st Revision of the standard

Applicability (Which organizations can avail ISO/IEC 27001 certification??)

The organizations requiring robust controls with regards to Confidentiality, Integrity and Availability of the data can implement ISO/IEC 27001 ISMS. Generally the organizations from the field of Information Technology, Research and Development, Design Services, Financial services can avail ISO/IEC 27001 certification. In most of the cases, it is a specific requirement stated by their customer.

Focus Points –ISO/IEC 27001:2013 Implementation

ISO 27001 requires that management:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

Benefits of ISO 9001:2015 implementation

  • Compliance to confidentiality, integrity and availability of data
  • Recognition by oversea customers
  • Mandatory requirement for being an out-sourcing sub-contractor to parent company
  • Satisfaction and Retention of Valuable Customers
  • Compliance with business, legal, contractual, and regulatory requirements
  • Improved structure and focus with respect to information security

ISO/IEC 27001 ISMS Implementation Process by PQSmitra

PQSmitra adopts a result-oriented approach for the effective information security management system implementation at the organization. PQSmitra team offers assistance in framing “Statement of applicability” also for documenting the various procedures for compliance purpose and implementation. PQSmitra offers 100% documentation support to achieve successful certification in addition to enhanced operational controls. The implementation process is described below:

  • Initial visits and review of the existing system
  • Statement of applicability
  • Identification of controls and planning for implementation
  • Training and Hand holding/ support for implementation
  • Internal audit for verification of implemented system
  • Management review
  • Certification audit – Stage 1&Stage 2
  • Closure of non-conformities
  • Rewarding the certificate to the organization

ISO/IEC 27001:2013 Reference Standards

  • ISO 9000:2015 – Quality management – customer satisfaction – Guidelines for complaint handling in organizations
  • ISO 27002 – ISMS controls
  • ISO 27003 – ISMS Implementation guidelines
  • ISO 27004 – ISMS Measurements
  • ISO 27005 – Risk Management