Christel | Passionate About SHEQ Management

ISO27001 Explained

• January 7th, 2008

So you thought that you are not working with this standard and that it is not applicable to you? Think again – information security is defined as the “preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved”. Do incident investigation documentation, medical examinations, confidential HR documentation and disciplinary hearings. Incident statistics, monitoring and measurement results, etc. not fall into this category?

An information security management system is defined as “that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security”. Have you identified the top 10 information security risks which might have legal or other implications for your organization?

An information security incident is defined as “a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”. What would happen if the information of an incident leaks into the wrong hands? What legal liability will you incur if personal medical information about one of your employees gets into the wrong hands?

Some more common examples:

• Your PC screen is visible to others and you are busy with confidential information – how do you know that no-one is reading the content while you are busy working?
• You make a Photostat and is not happy with the quality and discard the copy – who have access to the rubbish bin and the content of the document Photostatted?
• In the afternoon when employees leave to go home – who is snooping around and have access to information that is lying open on various desks but which actually needs to be protected because of its content?

The PDCA cycle (Plan, Do, Check & Act) is applied to illustrate the process (also used in ISO9001, ISO14001 & OHSAS1800).

PLAN: Establish the ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organisation’s overall policies and objectives.

DO: Implement and operate the ISMS policy, controls, processes and procedures.

CHECK: Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.

ACT: Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

How secure is the information that you are using currently in your organization and in your division? Are you confident that confidentiality issues are not breached and that the integrity of the company is maintained and that information is only available to those recipients for whom it was originally intended?

Do an information security risk assessment (informal) and verify that you are playing it safe!

• Contact Christel Fouche |
• Health & Safety
• 
  Print This Article

One Response to “ISO27001 Explained”

1. Saby Says:
   August 7th, 2008 at 1:44 am

   nice
   good info

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website