April 16, 2020

What is the 27001 Data Security standard?

This is a series of recommendations as to how to address concerns about data security – what to do to control the related risks and how to determine improvements while providing appropriate flexible criteria checklists against which to assess the right actions.

The processes are carried out within an Information Security Management System (ISMS) which is a series of procedures, clauses and controls to address all data security issues in any organisation.

It is voluntary – not a legal requirement (yet)

It is flexible – not all of it has to be used and not all of it will apply

It is comprehensive as it is an approach rather than be specific to particular situations

It provides an approach that does not just find the problems, but shows how to solve them

It relates to all aspects of data security – not just IT but paperwork, physical security etc

It allows organisations to choose the level of risk they are happy with in each situation

The 27001 standard is made up as follows:

3 sections relating to generic requirements (Scope, References and Definitions)

Section 4 goes into “interested parties” ie identifies who is affected by the standard

Section 5 details a requirement for top management to commit to the ISMS (vital)

Section 6 goes through the steps to identify, analyse, plan and treat risk

Section 7 relates to competency training and documentation requirements

Section 8 goes into how to assess and treat risk and manage the change process involved

Section 9 details the need to monitor, measure and audit the controls and procedures

Section 10 addresses how to react to the findings from such reviews and the steps required to achieve continual improvement

Then there is Annex A which lists the controls and their objectives:

114 controls - In 14 clauses - Sub-grouped by 35 control categories

The 27001 standard was set up based on work carried out by the UK Department of Trade & Industry (DTI as it was then) in 1995. This was adopted ultimately by the ISO (International Organisation for Standardisation) – hence is often referred to as ISO 27001. ISO is an independent body which runs a system of controls that regulate Certifiers who act as third party assessors for the 27001 standard (and others). Any organisation wanting to be assessed, can apply for a Certifier to assess them. This too is voluntary – the use of the procedures and controls in the standard are sufficient to cover data security – but many like to have the 3rd party oversight to prove to others that they are taking things seriously

Secure Business Data

We are here to help you secure your business data using cutting edge technology.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram