ISO/IEC 27001 – Information Security Management System

In Brief

The ISO 27001 standard encourages the adoption of a process approach to the implementation, operation, monitoring, re-examination, updating and improvement of a company’s information security management system. Annex A of the standard is ISO/IEC 27002.

The company must identify and manage a number of activities to ensure it is operating efficiently. Any activity involving the use of resources in such a way as to transform input elements into output elements may be considered as a process.

‘The process approach’ is the name given to the application of a process system within a company, as well as the identification, interactions, and management of these processes.

The process approach for information security management system given in the standard highlights the importance of:

• understanding the requirements relating to the security of the company’s information and the necessity of introducing a security policy and objectives;
• implementing and using security-related risk management measures in the context of the global risks related to the organisation’s activity;
• monitoring and re-examining the ISMS’s performances;
• continuously upgrading the system based on objective measurements.