ISO 27001 Standards
SCIT organized a guest lecture on 4th August, 2018 on the topic “ISO 27001 Standards”. The speaker for the day was Mr. Vijay Upadhyay; who is working as a Manager at HSBC Bank. He has completed CISA, CCSK, CISM and CISSP Certifications and has over 11 years of experience in Information Security field. He is an alumnus of Symbiosis Centre for Information Technology.
He started off the session by sharing the history of ISO 27001 Standards. In 1992, The Department of Trade and Industry (DTI), which is a part of the UK Government, published a ‘Code of Practice for Information Security Management’. In 2005, ISO/IEC 27001:2005 was published and finally in 2013 ISO/IEC 27001:2013, a new Information Security standard was published on the 25th September 2013 and replaced ISO 27001:2005.
He stated that Standards are required to protect an organization’s information assets. This is done for efficient and effective security planning and management. It also increases the credibility, trust and confidence of partners and customers and compatibility with other standards. Information Security concepts revolve around Confidentiality, Integrity, Availability, Non-Repudiation and Accountability factors. He also made the students understand about the ISMS Process PDCA Model; which involves four steps:
- Plan : Define Security policies and procedures
- Do: Implement and Manage Security Controls/Processes.
- Check: Review/Audit Security management and controls.
- Act: Implement identified improvements, corrective/preventive actions.
ISO/IEC 27001-2013 has its own structure and content. It has to determine organization needs and expectations and interested parties. ISO involves Leadership to establish role of Top management toward ISMS. It provides us with planning organization strategic objects and Risk Management. It also gives us support by providing determined Organizational Resources and Competencies Requirements and Standard Documentation Requirements. ISO carries out operations and performance evaluation for the improvement and act towards nonconformity of ISMS through Corrective Action and Ensure of Continual improvement of ISMS.
Every standard like ISO /IEC 27001:2013 needs time for implementation and certification. Small organization take up to 6-8 months, Medium Organization takes 10-12 months and Large Organization with 400-1000 employees needs 13 and more months for complete implementation of the standard.
At the end of the session, he said that Standards must be used in particular layout, their controls must be fully used and objectives should be acquired for obtaining better results.