ISO-27001 and ISMS (Information Security Management System)

ISO 27001 is the world’s best-known internationally accepted standard for ISMS (Information Security Management System). ISO published it on 14 October 2005. It provides a systematic approach for organizations to identify, manage, and reduce data security risks. It aims to ensure the confidentiality, integrity, and accessibility of the information the organization possesses. Risk management is fundamental and process-based. While ISO 27002 includes implementation processes and controls for planning, implementing, improving, and maintaining ISMS, the standards required for ISMS certification are included in ISO 27001. Managing cyber risks can seem difficult or even impossible with the increase in cybercrime and the constant emergence of new threats. ISO 27001 helps organizations be aware of risks and proactively identify and address weaknesses.

You can access detailed information about the article I have previously written about the fundamentals of information security at the address below. https://emrecicek.net/en/fundamentals-of-information-security/

The Information Security Management System is a management system that is planned, implemented, monitored, and continuously developed to ensure the confidentiality, integrity, and accessibility of the information held by the institution. It is not enough to simply establish it; it must be operated effectively, periodically reviewed, and developed. Information security is defined as preventing unauthorized or unauthorized access, use, modification, disclosure, removal, transfer, and damage to information as a type of asset, and consists of three basic elements called “confidentiality”, “integrity”, and “accessibility”. If any of these three basic security elements are damaged, a security vulnerability occurs. The types of information that need to be protected include services provided to institution employees, commercially and military confidential information, intellectual proprietary information, documents containing corporate information, and information and derivatives belonging to customers or suppliers. The operation of this process requires some innovations in the institutional structure:

• Establishment of an information security coordination team
• Determination of roles and responsibilities
• Conducting awareness and consciousness activities
• Creation of policies, procedures, guidelines, and record documents

In order to establish the ISMS process, a budget and financial resources allocated for the institution are needed. In addition, training that will ensure the competence of ISMS teams should be received. Activities that will increase awareness throughout the institution should be created. The existence of internal communication mechanisms that include information security issues will also contribute to this process.

Threats to information security can be external or internal:
External Threats: Attackers, viruses, botnets, spam emails, etc…
Internal Threats: User errors, unauthorized access, deliberate damage, etc…

Basic protection measures should be taken for known or unforeseen threats. As a precaution, physical security of data centers and personnel access, limited access controls for confidentiality and integrity, and system backups for accessibility and integrity are recommended as precautions. However, precautions may not be sufficient, or in some special cases, flexibility may be required in areas where precautions need to be taken, which will reveal risks.

Risks, on the other hand, include uncertainties that threaten the achievement of specified goals. For this reason, risks must be defined, analyzed, and graded. If there are risks to be accepted, it is essential to determine the level of acceptability of these risks. The entire risk processing plan is created for the processes of reducing, transferring, rejecting, or accepting the risk.

Systematic internal audits should be carried out at regular intervals to ensure the effectiveness of the ISMS. These audits evaluate the applicability of policies and procedures, compliance with legal and regulatory requirements, the effectiveness of the determined controls, and the overall performance of the system. Internal audits should be planned according to the principle of impartiality, and auditing personnel should not audit their areas of responsibility. Audit results should be reported clearly, and corrective and preventive activities should be defined for the nonconformities found. Corrective activities are carried out to prevent similar problems that occur in the system from recurring. These activities should be linked to a specific procedure, and the starting and closing criteria should be clarified. The institution should focus on eliminating deficiencies that affect not only the end user but also the entire system in software, process, or infrastructure-related errors.

The institution must have a comprehensive documentation structure that defines its policies, standards, procedures, and guides related to information security within the scope of the information security management system. Policies must clearly set forth information security objectives, legal and regulatory requirements, corporate principles, and commitments of the top management. It is important that these policies are written, accessible, and shared with all relevant parties. While the prepared procedures and guides determine how information security activities will be carried out, standards ensure that activities are implemented measurably and consistently.

Documentation should not consist solely of theoretical documents. Records that are a part of this structure are evidence that controls are working, policies are being implemented, and procedures are being followed. In particular, records related to processes such as security incidents, internal audits, training activities, and management reviews are presented as evidence during audits and should be archived in an unchangeable manner. Therefore, the documentation structure should be both dynamic and kept up-to-date in a continuous manner.

The success of information security management is based on clearly defined roles and responsibilities. At this stage, the company management should support the achievement of information security goals and provide the necessary resources. The information security officer is responsible for monitoring the performance of the system, identifying improvement opportunities, and regularly reporting to management. Responsibility definitions should be written down, prepared based on the title, and integrated with the organizational structure.

The management review process should be carried out at planned intervals in order to evaluate the suitability, adequacy, and effectiveness of the ISMS process. In this process, criteria such as the level of achievement of information security objectives, internal audit findings, risk assessment results, status of corrective actions, and user feedback are taken into account. Management assumes the responsibility of eliminating deficiencies in the system, providing the necessary resources, and evaluating improvement opportunities.

One of the most fundamental principles of the ISO 27001 standard is the continuous improvement cycle. In the face of any nonconformity detected in the information security management system, not only the symptoms but also the root cause should be addressed. Root cause analysis should be performed to review the processes that cause the problem, and not only technical errors, but also applications that weaken the process should be addressed. The person responsible for each corrective action, the monitoring process, and completion dates should be clearly defined and recorded.

The following standard articles are needed for the applicability of ISO-27001. This standard should also be expressed with a specific cycle.

• Plan: Determining the necessary goals, objectives, processes, and procedures to achieve results in accordance with the organization’s ISO-27001 information security policy.
• Do: Processes are implemented.
• Check: Processes are monitored and measured against the ISMS policy, objectives, legal, and other requirements. This is the stage where process performance is evaluated, measured, where applicable, the results are reported to management for review, and the results are communicated.
• Improve: These are the corrective and preventive activities implemented to continuously improve ISMS performance.

1. Determining the Scope of ISMS (Article 4)
   The organization’s field of activity, locations, processes, and information assets are determined.
   “ISMS Scope Document” should be created.
2. Leadership (Article 5)
   Top management should approve and support the information security policy.
   Duties and responsibilities should be defined.
3. Risk Management (Article 6)
   Risk analysis is performed by evaluating threats, vulnerabilities, impacts, and probabilities.
   A risk processing plan is prepared: Acceptance, reduction, transfer, or rejection strategy is selected.
4. Support (Article 7)
   Documentation, training, communication, and resources should be provided.
   A competency matrix should be created.
5. Operation (Article 8)
   ISMS processes should be operated (Access management, change management, incident management, etc.).
   Operational controls should be implemented.
6. Performance Evaluation (Article 9)
   Internal audits, ISMS review meetings should be held.
   Security KPIs should be determined and measured.
7. Improvement (Article 10)
   Corrective actions should be carried out for incidents and nonconformities.

ISO-27002 is a guide that provides detailed explanations and good practice examples of Annex A controls in ISO 27001. While ISO 27001 specifies what needs to be done, ISO 27002 explains how to do it. In the implementation phase of ISO-27001, there are 11 basic headings under ISO-27002. ISO-27001 references these headings, but the details are explained in ISO 27002. These headings are as follows:

• Security Policy: The basic document approved by the top management and reflecting the institution’s perspective on information security.
• Organizational Structure: It includes the determination of roles and tasks that will support the ISMS structure.
• Asset Management: It covers the classification and inventory of all information assets in the institution.
• Human Resources Security: Personnel must comply with security rules in all processes from starting work to leaving.
• Physical and Environmental Security: Critical infrastructures must be protected against physical threats, and access rights must be controlled.
• Communication and Operations Management: Operational activities such as system on-off, backup, and maintenance operations must be linked to written procedures.
• Access Control: Physical and logical access rights must be limited based on roles.
• System Development and Maintenance: Security controls must be taken into consideration in software supply and development processes.
• Incident Management: Security incidents must be detected, reported, and managed effectively.
• Business Continuity: Business continuity plans that also include information security must be prepared and tested.
• Compliance: The organization must comply with all legal, contractual, and regulatory requirements to which it is subject.

NIST (National Institute of Standards and Technology) is a US-based institution. NIST offers comprehensive application guides to institutions, especially with its publications such as SP 800-30 (Risk Assessment), SP 800-53 (Security and Privacy Controls), SP 800-171 (CUI), and Cybersecurity Framework (CSF). Thus, it is considered a reference for information security. To ensure that systems are protected against cybersecurity threats. It does not issue certification, but aims to form the basis for standards such as ISO 27001.

The integration of ISO 9001 and ISO 27001 is possible by adapting the quality and information security processes to support each other. Both systems are based on the PDCA (Plan, Do, Check, Improve) cycle. ISO 9001 is standardized as a Quality Management System and aims to increase customer satisfaction. While customer satisfaction increases, existing risks should not be ignored. In both certifications, the environment should be structured in a way that the procedures do not negatively affect each other.