top of page

ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM

ISO 27001 Information Security Management System is the set of processes, documents, technology and people that help manage, execute and audit the information security of any institution.

Consistent and cost-effective all security applications from one place  helps to manage.  

ISO 27001  Based on regular risk assessments of the Information Security Management System,  It helps organizations identify and remediate security threats based on risk and tolerance ratings.  

The information security management system application based on ISO 27001 includes the entire institution. This system determines the scope   The process from stage to certification depends on the size of the institution and organization and  to the structure  varies from three months to one year, depending on  

The most important components of the system are:

  • Difference Analysis: Identifies the differences between the current information security processes of any institution and the requirements of the standard. In addition, it enables the identification of resources and competencies to address this disparity. 

  • Determining Scope: This stage requires deciding which information assets to protect. In large organizations this is a very difficult and complex process. 

  • Development of Information Security Policy: The policy should reflect the institution's view on information security and should be approved by the board of directors. 

  • Risk Assessment: It is the basis of the information security management system.It consists of the following steps:  

     -  Establishment of the risk management framework

   - Information outputs, electronic files, portable media, mobile devices and copyrighted materials that are information assets  Identification of risks on   ​ 

    - Risk analysis

    - Risk assessment  

    - Selection of risk improvement alternatives  

  • Selection of Control Mechanism: Performing controls for the management and reduction of current risks after the risk assessment is completed.

  • Generating Statement of Applicability: Contains the list of controls defined in the previous step. In addition, whether these controls are implemented and  statement as to whether it is included in the process.  ​

  • Making the Risk Improvement Plan: It is the plan that explains the improvement steps for each risk identified in the risk assessment.

  • Preparation of Documentation 

  • Organization-wide Implementation of Personnel Awareness 

  • Conducting Internal Audits: Conducted at planned intervals to determine whether the controls are working as they should.  is internal control. 

  • Conducting Management Reviews 

  • Selection of Certification Firm

  • Obtaining the Accredited Certificate 

bottom of page