AlterMensa AlterMensa
Norms & Standards
Details
Hits: 447

 

 ISO 27001: what requirements for an Information Security Management System (ISMS)?

The ISO 27001 standard is an international standard for information security management. However, it defines an information security management system (ISMS) to be implemented in the company. Likewise, the ISMS is the organization (processes, responsibilities, actions, etc.) that the company must put in place to improve information security.

This standard presents the requirements in terms of organization (management system). It ensures that information security is well controlled:

  • Governance related to information security and strategy.
  • The processes necessary for controlling information security.
  • Different methods to analyze risks and report them.
  • Safety measurement, monitoring and improvement processes.
  • Responsibilities related to information security.

The company can therefore obtain ISO 27001 certification issued by an independent organization. Furthermore, it therefore certifies the compliance of the company's ISMS.

 

What is the scope and purpose of the ISO 27001 standard?

The ISO 27001 standard is a text which aims for control, security and services through the mastery of 4 areas.

Ensure the availability of information and services.
Secure the integrity of critical data.
Guarantee the confidentiality of sensitive data or customer data.
Ensure the availability and compliance of legal and other evidence.

ISO 27001 is a standard for the entire company and not just for information systems. This standard potentially concerns any company. Likewise, ISO 27001 certification corresponds to a desire to raise its level of quality of service through security. Depending on its customers and its competitive context, the company has more or less interest in implementing this standard in order to go as far as certification. Consequently, the more sensitive and critical the service, the more this certification will be of interest.

To obtain ISO 27001 certification, you must meet the requirements of the ISO 27001 standard in addition to integrating the operational controls of the ISO 27002 standard.

 

ISO27005 for information systems risk management (ANSSI text)

ISO recently published the revision of ISO/IEC 27005:2022. The ISO/IEC 27005 standard, applicable to all types of organizations, is an international standard containing guidelines relating to information security risk management. It is designed to help implement information security based on a risk management approach. The ISO/IEC 27005:2022 revision makes it possible to provide and disseminate the main innovations of EBIOS Risk Manager through the standard. The task force of French experts organized by AFNOR (Structure AFNOR/CN CYBERSECURITE | Norm'Info) in conjunction with the EBIOS Club and ANSSI (represented by the Cyber ​​Risk Management office) participated for more than three years the work to revise the ISO/IEC 27005 standard.

Who is the ISO 27005 standard for?

The International Organization for Standardization recommends the ISO 27005 standard to companies, but also to public establishments such as “governmental agencies” or NPOs, non-profit organizations.

Concretely, this information security standard is mobilized to ensure the confidentiality of data, but also the accessibility and integrity of strategic information for the organization. It is deployed within all structures concerned by cyber risks and the continued growth of data in their services.

What exactly is the ISO/IEC 27005 standard for?

Behind the standard is training, which allows employees to develop the skills to implement effective IT risk management. People trained in ISO 27005 are theoretically able to identify cyber risk, analyze it, measure it and treat it.

The objective of this standard also consists of installing an ISMS, an Information Security Management System. The ISMS includes the definition of cybersecurity processes and policies, coupled with a continuous improvement approach to risk management. It is supposed to take into account human and technical factors.

With this in mind, the ISO 27005 standard is deployed around a logic comparable to that of continuous improvement PDCA (Plan, Do, Check, Act):

  • Plan: Identification and assessment of cyber risks, then strategic reflection on risk reduction actions;
  • Do: Implementation of these actions;
  • Check: Control of results;
  • Act: Monitoring and improvement of the risk treatment strategy.

 

What are the ISO 27005 training courses?

There are several certification courses available to train in ISO 27005:

  • ISO 27005 Foundation, which gives access to the PECB Certified ISO/CEI 27005 Foundation certification;
  • ISO 27005 Certified Risk Manager with EBIOS: this training considers risk management through the prism of the EBIOS method. It therefore gives access to two exams: PECB Certified ISO/CEI 27005 Risk Manager and PECB Certified EBIOS;
  • ISO 27005 Certified Risk Manager with MEHARI, “harmonized risk analysis method”, developed by CLUSIF in France;
  • ISO 27005 Risk Manager from ANSSI, the National Information Systems Security Agency.