The international standard ISO/IEC 27001:2022 sets a model for construction and defines requirements for information security management systems. These systems serve to protect the assets that handle information and are based on accepted principles, objectives, policies and risk assessments that may adversely affect the business.
The standard is applied not only and not primarily by organizations with an IT profile – almost any organization, regardless of the business in question, can work with sensitive information affecting customers, partners, other stakeholders, and in some cases even society as a whole. The protections that are built during the implementation of ISO/IEC 27001:2022 increase the level of security and are primarily aimed at ensuring and maintaining the characteristics of confidentiality, availability and integrity of information.
When an ISO / IEC 27001 is built, maintained and improved, it creates a convincing potential of trust and peace of mind among all parties with which the organization works, and after ISO / IEC 27001 passes a successful certification procedure, the certificate of compliance has a value of definite and universal system guarantee provided by a serious, competent and independent body.
Practice and life itself suggest that it is not possible to achieve absolute and permanent security. The most significant benefits of existing information security management systems are that they create a new way of dealing with and thinking about risks, that they keep a constant focus on security aspects, and that they include well-established mechanisms for threat prevention or response of events and incidents in such a way that they cannot become a relapse.
ISO / IEC 27001 policies and working tools are based on a balanced selection and combination of principles – for example, “protection in depth”, “minimization of the field of attack”, “distribution of responsibilities and rights”, “least privileges” and others long proven in practice, principles. It is a matter of appropriate case-by-case choice to determine the composition of the principal basis on which the ISO / IEC 27001 will be established.
Adherence to the announced principles is the factor that makes the system adequate, useful and practically oriented to the specifics of the business environment in which the organization operates.
The preparation for certification is largely expressed in the fact that the organization “inventory” and verify the evidence specified by the standard for compliance with security requirements. Among them, some of the most important, but not all, are:
- to have available and mastered in practice the obligatory documents and records;
to implement the defined protection measures and to have data on their effectiveness;
to conduct and document internal audits for verification of compliance, as the audit procedure and practices comply with general and specific auditing standards – ISO 19011, ISO / IEC 27007 and ISO / IEC 27008;
a review of ISO / IEC 27001 by the management has been conducted and documented;
the staff of the organization should be trained and informed, as the awareness of SUSI affects in an appropriate way customers, partners, suppliers and other stakeholders.