What are the 3 key elements information security in ISO 27001?
The three key elements of information security in ISO 27001 are:
Confidentiality is the protection of information from unauthorised disclosure. This means that only authorised individuals should be able to see or access the information. Confidential information could include things like financial data, customer records, or intellectual property.
There are many ways to protect confidentiality, such as:
- Using strong passwords and access controls
- Encrypting sensitive data
- Limiting access to sensitive areas
- Implementing data loss prevention (DLP) solutions
Integrity is the protection of information from unauthorised modification. This means that information should only be changed by authorised individuals and in a controlled manner. Any changes to information should be logged and tracked.
There are many ways to protect integrity, such as:
- Using checksums and hash functions to verify the authenticity of data
- Implementing change management procedures
- Using version control systems
- Regularly backing up data
Availability is the protection of information from unauthorised destruction or disruption. This means that information should be available to authorised users when they need it.
There are many ways to protect availability, such as:
- Using redundant systems and backups
- Implementing disaster recovery plans
- Keeping systems up to date with security patches
- Monitoring systems for signs of attack
The three key elements of information security are interrelated. For example, if confidentiality is compromised, then integrity and availability may also be compromised. Therefore, it is important to implement appropriate controls to protect all three elements.
Does ISO 27001 require a risk assessment?
Certainly, ISO 27001 places significant emphasis on conducting a comprehensive risk assessment. This requirement serves as the bedrock of the entire information security framework outlined in the standard.
The risk assessment is the foundation for all other information security controls in ISO 27001 because it helps organisations to:
- Identify the risks that their information assets or scenarios face
- Assess the likelihood and impact of those risks
- Prioritise the risks based on their severity
- Select appropriate controls to mitigate the risks
- Monitor and review the risk assessment process on a regular basis
The risk assessment should be conducted on a regular basis, and it should be updated as the organisation's information assets/scenarios and threats change. The results of the risk assessment should be used to prioritise the implementation of information security controls.
In essence, ISO 27001 not only mandates a risk assessment but positions it as a fundamental and ongoing activity that underpins the entire information security management system. It's not merely a requirement; it's a strategic imperative for organisations seeking to safeguard their valuable information and mitigate security risks effectively.
How to conduct an ISO 27001 risk assessment?
There are many different ways to do an ISO 27001 risk assessment. However, the following steps are generally involved:
- Identify the organisation's information assets.
- Identify the threats and vulnerabilities that could impact those assets/scenarios.
- Assess the likelihood and impact of those threats and vulnerabilities.
- Implement controls to mitigate the risks.
- Regularly review and update the risk assessment process.
Is ISO 27001 risk based?
Yes, ISO 27001 is a risk-based standard because it recognises that the level of risk that an organisation faces will vary depending on a number of factors, such as the type of information that it processes, the size and complexity of the organisation, and the threats and vulnerabilities that it faces.
The risk-based approach of ISO 27001 is reflected in a number of clauses in the standard, including:
- Clause 4.1, which requires organisations to define their information security policy, which should be based on the organisation's risk assessment
- Clause 6.1, which requires organisations to identify their assets and their associated risks
- Clause 8.2, which requires organisations to conduct a risk assessment to identify, assess, and prioritise the risks to their information assets
- Clause 8.3, which requires organisations to select and implement appropriate controls to mitigate the risks to their information assets
The risk-based approach of ISO 27001 allows organisations to tailor their information security controls to the specific risks that they face. This helps to ensure that organisations are only implementing controls that are necessary and proportionate to the risks, which can help to reduce the cost of information security.
Overall, this approach is a valuable tool that can help organisations to improve their information security posture and protect their most valuable assets.
Get your free ISO 27001 risk assessment guide
To learn more about ISO 27001 risk assessment, download our free ISO 27001 risk assessment guide. This guide outlines an 8-step simple plan for your organisation to conduct a hassle-free and effective risk assessment.