Info Sharing Blog

Tuesday, July 24, 2018

Part 1-InfoSec Scribbling : ISO/IEC 27001:2013

July 24, 2018 Posted by jaacostan , ,
:: InfoSec Study Notes : Scribbling on ISO/IEC 27001:2013 Standard Part-1::
ISO/IEC 27001:2013 is an information security management standard. Organizations use it to manage and control the information security risks, to protect and preserve the confidentiality,integrity, and availability of information, and to establish your information security management system (ISMS).

-Is a systematic framework to manage information security related risks and protect important information.
-Also consists of requirements for an ISMS Annex A- a list of control objectives and controls for information security.
-Annex A provides an essential tool for managing security. A list of security controls (or safeguards) that are to be used to improve security of information.
-In brief, the Annex A lists the following control objective. This is a very large list which have more sub-topics/controls.
    -Security Policy Management
    -Corporate Security Management
    -Personnel Security Management
    -Organizational Asset Management
    -Information Access Management
    -Cryptography Policy Management
    -Physical Security Management
    -Operational Security Management
    -Network Security Management
    -System Security Management
    -Supplier Relationship Management
    -Security Incident Management
    -Security Continuity Management
    -Security Compliance Management

ISO 27000 family of standards:

ISO/IEC 27001 –specifies the requirements for an ISMS
ISO/IEC 27002 –guideline for the implementation of the controls in Annex A
ISO/IEC 27000 – a general overview of information security and terms and definitions
ISO/IEC 27003 –general guidance for the implementation of an ISMS
ISO/IEC 27004 –advice on how organizations can monitor and measure the performance of their ISMS
ISO/IEC 27005 –guidance on risk management and
ISO/IEC 27006 –for audit and certification of ISMS
ISO/IEC 27007 - guideline on how to audit an ISMS
-sector specific -
ISO/IEC 27011 –application of security controls in telecommunication
ISO/IEC TR 27015 –information security management in financial services