What is ISO27001 (ISMS)?

What is ISO 27001?

ISO/IEC 27001 is an international standard for "information security management system". This standard states the requirements for how information security should be managed in an organization.

Today there are a lot of malware and ransomware attacks around the world. Plus, there are many unauthorized access attempts to steal our identities. Furthermore, since people are now bringing mobile devices to everywhere, keeping data secure in those devices becomes an issue.

ISO 27001 certification exists to assure the company has a secure information management system to protect information assets in their company.

Benefit of ISMS

The most important benefit of building ISMS(Information Security Management System) is that the organization will have a systematic way of protecting information. If a company develops an ISMS(information security management system), the company is required to make rules on how the information should be treated. And, since ISMS is a continuous system, there will be a continuous assessment on whether there are any security risks. Every year, there will be new technologies and we keep adopting those technologies to make our work more efficient. At the same time, there will be new security risks by adopting new technologies. Therefore, it is important to evaluate the security risks consistently.

In addition to having a secure system to protect information assets, being certified for ISMS will add reliability to stakeholders. And, this will always provide a positive impact to the company.

Basic concept of ISMS

ISMS has the concept of PDCA cycle to manage information security continuously. PDCA stands for Plan, Do, Check Action(or Adjust). Creating rules for security is a part of the "Plan". Rules are statements of how an organization plans to manage information security. "Do" is to enforce the plan. And, "Check" means to evaluate whether management of information security is carried out as planned. Usually there will be some gap between plan and real execution. Therefore, at the end of the cycle, there is "Action" (or "Adjust") which is action to fill the gap between plan and execution.

Basically, ISMS is not the thing which an organization should do once. Since ISMS is a system, the organization needs to keep improving. And, that continuous improvement process is called ISMS.

This is one of the reasons why an audit for certification is done every year. Once the organization stops improving the way to make information secure, the organization will not be able to keep their certification.

Having rule is a starting point

In the document of ISO 27001, it contains requirements which an organization needs to do to maintain information security. And a company should have rules which fulfill the requirements. Of course, according to the company's business, the company also has a choice not to include such requirements in the scope.

Most of the case, making rules to fulfill the requirements is the first step a company needs to do in order to get ISO 27001 certification. In those requirements, there are sections such as access control, device control, etc.

How HENNGE One is beneficial for ISO 27001 certification

First step for ISO 27001 certification is to create rules which fulfills requirements. But only having rules can be vulnerable to the risks. Since humans can make mistakes easily, just asking employees to follow rules can not stop security incidents from happening. And without improving the security management system, a company can not continue to be certified. Therefore, the company needs to adopt a system to lower the risk of a security incident from happening.

This is the part where HENNGE One can be useful. In fact, many of the security features in HENNGE One were developed as we renewed our ISO 27001 certification so that many features in HENNGE One can be used to secure ISO 27001 requirements.