The user of the 27k1 ISMS starts by entering details specific to the organisation:
- Name and address and details of organisation
- Breakdown of zones/areas of activity within the organisation
- Breakdown of employees within the organisation
- Data assets held by the organisation:
- People, Hardware, Software, Communications, Storage, etc
The next step is to run through the risk and frequency related to the combination of assets and activities.
A series of user-controlled tables determines the risk and frequency levels applicable.
The combination of Asset x Threat x Vulnerability yields the Risk inherent with no controls
To apply the controls, the ISO 27001 Data Security Standard requires that users interpret their Risk using three specific features:
- Controls – a list of (currently) over 100 specific areas where individual organisations have to have individualised controls set up - where those controls are relevant to the operations
- Procedures – a list of 10 procedures (again depending on what applies) that lay out the approach to handling data risk in the organisation
- Documentation – some of it mandatory under 27001: eg Policies on specific areas
The 27k1 ISMS then gives the user the ability to review the Risk following application of the Controls and Procedures in place – taking account of whether such controls or procedures are completed, in operation and being checked upon or not all the way completed.
The result from this process is an identification of where the “holes” still exist and consequently a list of actions to follow up to close off such “holes”. The assessment of Risk following such activities can then be determined to be sufficient in the organisation’s eyes (or not – in which case this process is repeated until it is).
All of this is logged so that the different states of completeness can be tracked as well as who has authorised what, required who to do what, whether they have done it and what the state of Risk is within the organisation at any one time.
The result is a detailed breakdown, laid down iteratively, of what has been considered, why and with what result. This allows management of risks, review of progress, review of responsibilities, exception reporting, KPI plotting and facilitates oversight and management of the whole field. Longer term this adds durability and efficiency to the organisation.
27k1 ISMS goes a long way towards meeting GDPR requirements but (currently) does not include all GDPR requirements such as feeding back data on request or tracking permissions. The new ISO 27701 standard, covering this, will be incorporated into 27k1 in the future.