What is ISO 27001? How do you manage your information assets?
ISO 27001 is the information security management system standard that's apart of the ISO family of standards for all things risk management. ISO 27001 is centred on managing the risks associated with your information assets: All of the data, all of the electronic information and even to a certain extent the hardcopy information you've got in your organization.
Now, a lot of that information could be things like customers details, financial details, banking details and even your commercial intellectual property that you use to run your organization. ISO 27001 is targeted at all of that information all of your information assets.
ISO 27001 follows a risk-management framework, similar to a ISO 9001 quality management system standard or an ISO 45001 OH&S management system or an ISO 14001 environmental management system.
All of these standards follow a risk management framework, generically if you look at ISO 31000 which has been international risk management framework, all of these management systems specifications are following that same framework. These same steps and same process is going to give you positive business improvement outcomes.
Looking at ISO 27001, the process will look like: You put your management system together, you think about your information security risks and start to identify and implement the controls that you're going to use in your organization to manage any threats or risks associated with your information security management responsibilities and requirements.
Setting up a dashboards is really important, monitoring statistics around when you look at your threats and risks, how often you monitor your statistics around, is your information security management system performing for you, is it managing your issues?Are you having issues and also looking at how you improve your organization? How often do you identify opportunities for improvement, how often do you execute and implement on those opportunities for improvement?