Introduction to ISO 27001:2013 -
Information Security Management System (ISMS)

The ISO 27001:2013 standard specifies requirements for establishment, implementation, maintenance and continual improvement of an Information security management system. The expert ISO 27001 consultants in India (ISMS consultants in India) of the Inzinc Team will ensure in providing professional consultancy solutions that puts a solid ISMS foundation.

What is an Information Security Management System?

An Information security management system (ISMS) is the part of an organization's management system that consists of a set of policies, objectives and procedures to ensure that the organization's information is kept secure, to manage & minimize the risk and ensure business continuity by pro-actively minimizing the impact of a security breach.

What is Information Security?

Information security is the practice of protecting organization's assets from unauthorized access, use, disclosure, falsification, modification, recording or destruction in order to achieve Confidentiality, Integrity and Availability (CIA)

What does our ISO 27001 Consulting services include?

Our ISO 27001 Consulting services in India includes

• ISO 27001 Gap Analysis: Conduction of ISO 27001 gap analysis and submission of the gap analysis report
• Documentation of ISMS Manual (ISO 27001 manual), ISMS procedures, ISMS policies (including ISO 27001 security policy), forms & formats. Our ISMS consultants will use the professional ISO 27001 documentation toolkit to cover the ISO 27001 documentation requirements of the ISO 27001:2013 standard.
• help and guidance in implementation of ISO 27001 controls (All of ISO 27001 controls list that are applicable as given in Annex A of ISO 27001:2013 standard)
• help and guidance in preparation of Statement of Applicability (SOA)
• help and guidance in conducting Risk Assessment and Risk treatment (Risk Management)
• ISO 27001 Awareness training where we teach Information Security basics (ISO 27001 basics) and ISO 27001 overview
• ISO 27001 Internal auditor training and help conduct ISO 27001 Internal audit and help conduct ISO 27001 Management Review.

Our ISO 27001 consultants in India (Bengaluru) India will ensure that the above ISO 27001 consulting services in India are executed with dedication and in a timely fashion. Our ISO 27001 Consultants in India make sure that the ISO 27001 implementation helps you to effectively establish, monitor and continually improve the Information Security Management System.

Benefits of ISO 27001 standard

The following are the advantages or Benefits of establishing a Information Security Management System (ISMS) in your organization

• Provides a framework to ensure safety of sensitive information.
• Builds trust and confidence among customers and stakeholders on how risk management is carried out.
• Ensures the secure exchange of information.
• The exposure to risk is minimized.
• Helps in developing a security culture that gets embedded in the organization culture.
• Helps to protect the Organization's assets, customers and stakeholders.
• Gives the competitive edge compared to non-ISMS based companies.
• Customer satisfaction and perhaps delight !

Transition from ISO 27001:2005 to 27001:2013

Organizations who are certified to ISO 27001:2005 need transition to ISO 27001:2013 which is the latest version. Inzinc provides ISO 27001 consultancy services in India to enable smooth transition from the 2005 version to the 2013 version.

The first revision of the Information Security Management System (ISMS) standard ISO/IEC 27001:2013 was published on 1st October 2013. This effectively replaces the earlier ISMS standard ISO/IEC 27001:2005. The new ISO 27001 standard was developed with inputs gathered from the practical experience of application of the ISO 27001:2005 standard worldwide. Apart from this, there are two other reasons namely:

• Move towards integration of all future ISO standards which will have 10 clauses with common clause headings across ISO standards but with content pertinent to the management standard in context. This paves way for easy Integrated Management Systems.
• Connect the ISO/IEC 27001:2013 standard to the risk management standard ISO 31000:2009.

In terms of ISMS controls, the ISO/IEC 27001:2005 Version had 133 controls classified under 11 domains. The New ISO/IEC 27001:2013 Version consists of 114 Controls classified under 14 domains. Refer Annex A of the ISO 27001:2013 standard for ISO 27001 domains.

In terms of the management clauses, the ISO/IEC 27001:2005 had eight main clauses.

The new ISO 27001 : 2013 has 10 Main Clauses which are as below:

• Scope
• Normative references
• Terms and definitions
• Context of the organization
• Leadership
• Planning
• Support
• Operation
• Performance evaluation
• Improvement

(Courtesy: ISO)

The new ISO 27001:2013 Information security management system standard brings up the context of the organization into picture. This is linked to the ISO 31000 risk management standard. Here we define internal context (internal issues) and external context (external issues).

Another change is that the Section on PDCA cycle is removed. However, the PDCA cycle can be used as one of the tools of Continual Improvement and can be used in the processes.
Also, the clause 9.3 on Management Review specifies requirements on the topics for consideration during the review instead of specific inputs and outputs of the management review as put forward in the earlier ISO 27001 standard.

So, please contact our ISO 27001 consultants in India for transition from (upgradation from) ISO 27001: 2005 to ISO 27001: 2013.

ISO 27001:2013 Mandatory documents

Following are the Mandatory documents that are required by ISO 27001:2013 ISMS standard:

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
• Inventory of assets (clause A.8.1.1)
• Acceptable use of assets (clause A.8.1.3)
• Access control policy (clause A.9.1.1)
• Operating procedures for IT management (clause A.12.1.1)
• Secure system engineering principles (clause A.14.2.5)
• Supplier security policy (clause A.15.1.1)
• Incident management procedure (clause A.16.1.5)
• Business continuity procedures (clause A.17.1.2)
• Statutory, regulatory, and contractual requirements (clause A.18.1.1)

ISO 27001:2013 Mandatory Records

The mandatory records that are required by the ISO 27001:2013 standard are as below:

• Records of training, skills, experience and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)
• Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

We have experienced Lead auditors and information security consultants. We can depute our team for requirements of ISO 27001 Consultants in Dubai / Abu Dhabi in the UAE, ISO 27001 Consultants in Singapore, ISO 27001 Consultants in Kuwait, ISO 27001 Consultants in Mauritius, ISO 27001 Consultants in Maldives, and ISO 27001 Consultants in other parts of the World including UK, Australia, Canada, etc.

ISO 27001 Internal Audit services

As part of the ISO 27001 effectiveness measurement, our ISO 27001 consultants in India can conduct ISO 27001 Internal Audit on behalf of our clients. Through our rich experienced ISO 27001 consultants in India we can provide ISO 27001 Internal Audit services in India.

Our committed team of ISO 27001 Consultants in India will help conduct the Internal Audits on behalf of our clients and we will submit reports of the Internal Audit.

ISO 27001 Family of Standards

• ISO/IEC 27000– Vocabulary
• ISO/IEC 27001 – Information Security Management Systems (This is the Auditable ISO 27001 standard)
• ISO/IEC 27002 – Code of Practices
• ISO/IEC 27003 – IT - Security Techniques – Information Security Management System implementation guidance
• ISO/IEC 27004 - IT – Security Techniques – Information Security Management – Measurement
• ISO/IEC 27005 – Information technology – security techniques – Information Security risk management
• ISO/IEC 27006 - Information technology – security techniques – Requirements for bodies providing audit and certification of information security management systems
• ISO/IEC 27007 – Information technology -- Security techniques -- Guidelines for information security management systems auditing
• ISO/IEC 27008– Information technology – security techniques – Guidelines for auditors on Information Security Controls
• ISO/IEC 27010 –Information technology -- Security techniques -- Information security management for inter-sector and inter-organizational communications
• ISO/IEC 27011 – Information technology – security techniques – Information Security management guidelines for telecom organizations based on 27002
• ISO/IEC 27013–Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

ISO 27001 domains (Domains as per the 2013 version of ISO 27001)

The Annex A of the ISO 27001:2013 standard defines the complete list of ISO 27001 controls. These controls (which are 114 in number) are grouped under 14 domains (or groups or ISO 27001 security domains) which are as under:

• Information security policies (A.5)
• Organization of information security (A.6)
• Human resource security (A.7)
• Asset management (A.8)
• Access control (A.9)
• Cryptography (A.10)
• Physical and environmental security (A.11)
• Operations security (A.12)
• Communications security (A.13)
• System acquisition, development and maintenance (A.14)
• Supplier relationships (A.15)
• Information security incident management (A.16)
• Information security aspects of business continuity management (A.17)
• Compliance (A.18)

If you wish to get ISO 27001 implemented in your organization, contact our ISO 27001 Consultants in India at ic@inzinc.in