The ISO 27001 certification is about information security management systems, currently it is one of the fastest growing certifications in the world, presenting numerous challenges for organizations.
The ISO 27001 certification – Information Security Management Systems has a structure in accordance with Annex SL, that is, the same structure of requirements of the main management systems standards such as ISO 9001, ISO 14001, among others.
The ISO 27001 certification structure contains a major difference from other management systems standards, Annex A, which establishes control objectives and their respective information security controls. The organization must implement these controls in its processes to mitigate its information security risks.
The Standard has 114 different controls from asset management to remote work, access control and network management, the controls are presented below.
Below I put some different types of controls, as an example that the controls in Annex A are varied and can encompass different information security risks. The organization must critically analyze each of the controls and verify their applicability, if not applicable, the justification must be reasonable enough to determine the compliance of the process:
- Asset Inventory
- User Access Management
- Physical entry controls
- Protection against malicious code
- Network controls
- Analysis and specification of information security requirements
- Procedures to control system changes
- Supply chain in communication and information technology
- Assessment and decision of information security events
- Collection of evidence
- Implementing information security continuity
The main challenges in implementing an information security management system and ISO 27001 certification is precisely how to implement each information security control, this is a technical process and the information technology and infrastructure area of the organization must be involved in the standard implementation project, so that, with a multidisciplinary team, the management system can be implemented effectively.
Another important point that becomes challenges in the ISO 27001 certification is the competence of the professionals responsible for the management system, from consultants, DPO, managers, etc. In an ISO 27001 certification, it is important that the professional has knowledge both about management systems processes, as well as knowledge in information technology and matters related to the controls in Annex A, obviously the best way, as mentioned above, is for the organization to establish a multidisciplinary team in order to have all these skills.
It is also important to mention that ISO 27001 certification is a mature process, ISO 27001 is in its 2013 version, with numerous organizations certified around the world, through the advent of global data privacy laws such as GPDR, LGPD and others, the standard gained prominence in the main governance committees of organizations, in order to help organizations and processes in digital compliance and information security governance.
At the end of the day, the main objective of ISO 27001 certification is to protect organizations from various information security risks, and thus promote a transparent and effective process of corporate governance in matters of privacy and information security, and so with ISO 27001 certification. be able to demonstrate through its certificate that the company cares and takes action on these issues.