Information Security, within a business context, relates to the identification and protection of data and information managed by the organisation, and includes both digital and hardcopy information with cyber security being a sub set of the broader information security.  A common misconception is that Information Security is the sole responsibility of the IT department.  Whilst IT may have a role to play in Information Security, it must be seen as a business risk and should be managed by the risk owners. Like most other areas of risk, information security is best managed by developing and implementing a management system, and in this case, an Information Security Management System (ISMS).

Whilst most organisations will recognise that managing information is important, there is still a general lack of understanding of what is required to manage this, and how to go about developing an ISMS.

ISO 27001 provides the framework for developing and implementing an ISMS.  Within Australia, the standard is AS ISO/IEC 27001:2015 Information technology – Security techniques – Information security management systems – Requirements.  Like all current management system standards, AS ISO 27001 applies the Annex SL that provides the overarching structure for the standard within the 10 standard headings:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

However, ISO27001 is more granular than most standards and goes on to specify an Annex A Control Objectives and Controls. This includes 14 sections, encompassing 114 specific controls. The 14 sections include:

  • 5 Information security policies
  • 6 Organization of information security
  • 7 Human resources security
  • 8 Asset management
  • 9 Access control
  • 10 Cryptography
  • 11 Physical and environmental security
  • 12 Operational security
  • 13 Communications security
  • 14 System acquisition, development and maintenance
  • 15 Supplier relationships
  • 16 Information security incident management
  • 17 Information security aspects of business continuity
  • 18 Compliance

Whilst not all 114 controls may apply to all organisations, a business must formally consider and document any exclusions in a Statement of Applicability.

The process of developing an ISMS may seem daunting, given the granularity and extent of the standard’s requirements.  In reality, many organisations would likely have both formal and informal processes in place already that would provide a solid basis on which to build their ISMS.

A starting point would be to acquire the AS ISO/IEC 27001:2015 Standard and then conduct a Gap Analysis, identifying what requirements are currently in place and where there are gaps.

Should your organisation require assistance, please contact QRMC for more information.