Some Aspects Regarding the Information Security
Management System within Organizations – Adopting
the ISO/IEC 27001:2013 Standard
Politehnica University of Bucharest,
313, Splaiul Independentei, Bucharest, Romania
Abstract: Information security in an organization is one of the most important pillars in achieving organizational objectives. It does not produce profit but it offers the necessary framework for efficiency and efficacy in organization. Information security can be provided in an organization through the implementation and certification of an ISMS–Information Security Management System. This paper presents some aspects regarding the information security management system in an organization and underlines the importance of the adoption of an ISMS and the new elements in ISO/IEC 27001:2013 (new concepts, requirements and changes introduced in the standard). An analysis regarding the correlation between the business risks and features & advantages of the ISO/IEC 27001 standard is presented. There is also proposed a guide for adopting the ISO/IEC 27001:2013 standard, which implies a self-assessment of the organization (which allows to identify where the organization in the ISO/IEC 27001 process is) and strategies (concrete steps and the allocation of resources). The proposed guide will help the organization to understand the relationship between ISO/IEC 27001:2013 and its predecessor ISO/IEC 27001:2005.
Keywords: Information security, standards, management systems, organizations, ISO/IEC.
CITE THIS PAPER AS:
Bogdan TIGANOAIA, Some Aspects Regarding the Information Security Management System within Organizations – Adopting the ISO/IEC 27001:2013 Standard, Studies in Informatics and Control, ISSN 1220-1766, vol. 24 (2), pp. 201-210, 2015.
In the territories that present social and public order conflicts, information management and timely access to it, is of vital importance as it contributes to the understanding of the nature of the conflicts that arise . If we refer to an organization, according to B.S.I. Group (British Standards Institution), successful businesses understand the value of timely, accurate information, good communications and secrecy. Information security is as much about exploiting the opportunities of our interconnected world as it is about risk management. That’s why organizations need robust information security management . According to Pipkin, information security is the process of protecting the intellectual property of an organization . All models related to the measurement of information security success are mostly driven by financial performance indicators, and not by psychological or other non-economic goals . One durable and well-known way to achieve security for organizational information is through the implementation and then certification, through a certification body, of an ISMS – Information Security Management System, according to the international standard ISO/IEC 27001:2005, with its revised version in 2013. An information security management system is a set of managerial interconnected processes having the target to establish the right direction regarding information security in organization. It is important to stress the necessity of having an ISO/IEC 27001 certified organization. Why adopt an information security management standard?
Organizations take into considerations at least two directions: an ISMS is a powerful market instrument so it is about market assurance and the second advantage refers to governance.
- The certified organization is able to provide confidence to all interested parties and within the market, it is able to assure the main functions of information security: availability, non-repudiation, authenticity, confidentiality and integrity of information.
- Regarding governance – how the organization is managed, by an ISMS the company acts in a proactive way to manage information security. An organization might choose to certify an ISMS for better management or to attract new customers.
The paper has the objective to propose a guide for adopting the ISO/IEC 27001:2013 standard in organizations (particularly from Romania), as a response to the results of a research made by the author in 2014. The research, based on a questionnaire with respondents from Romanian and Bulgarian organizations, revealed the intention of many organizations to be certified or recertified; so, there is a necessity of having such a guide which is expected to have a wide applicability. The paper presents some aspects regarding the information security management system according to the new requirements of the ISO/IEC 27001:2013 international standard: new concepts, requirements and changes introduced in the standard etc. Then, based on the author exploratory research, the paper contributes with some new elements useful for organizations that have the intention to adopt an ISMS or to upgrade an existing one. The author is not aware about other references to this subject in Romanian literature. The remaining part of the paper is organized in 4 chapters devoted to the following issues, respectively: contributions of the ISO/IEC 27001:2013 standard, guide for adopting this standard, a case study – an example of practical use, and conclusions.
- RIBON R. J., GARCIA VILLALBA L.J., KIM T., Application of Mobile Technology in Virtual Communities with Information of Conflict-Affected Areas, Studies in Informatics and Control, ISSN 1220-1766, vol. 22(1), pp. 33-42, 2013.
- BREWER, D., Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013, BSI Report, BSI Group, 2013.
-  PIPKIN, D. Information security: Protecting the global enterprise. New York: Hewlett-Packard Company, 2000.
- New ISO/IEC 27001:2013 Information Security Management Systems, SAI Global report, 2013.
- ISO/IEC 27001 Information Security – Features and benefits, BSI Group report, 2
- ISO/IEC 27k family of standards (http://www.iso.org/iso/).
- ŢIGĂNOAIA, B. A preliminary model to assess the company’s readiness for an ISO/IEC 27001 Information Security Management System, Conf. Comm, Context and Interdisciplinarity, 3rd edition, Tg. Mures, Romania, 23-24 October, 2014, pp. 279-287.
- HUMPERT-VRIELINK, F, N. VRIELINK, A Modern Approach on Information Security Measurement. Proceedings of the 14th Information Security Solutions Europe Conference-ISSE 2012; Brussels, Belgium, October 23-24, 2012, pp. 48-53.
- HINSON ET ALL, ISMS Auditing Guideline, ISO27k Implementers’ Forum, 2008.