Logic Of ISO 27001 And How Does Information Security Work?
- By john.pbtm
- •
- 09 May, 2017
- •

While discussing such standards with someone who is not very familiar with it, I normally encounter the same problem, i.e. most of them believe that this standard is somewhat a detailed description of tasks that must be carried out by them in order to make things secure.
For instance, when and how many time will they need to make backups, how distant shall their recovery site from the disasters that may take place and what is the type of technology that they should go for when trying to protect their networks from attackers, etc.
The truth is a bitter and totally another way round, but let me share it, ISO 27001 works in totally different passion and it does not prescribe any of the aforementioned thoughts from those who are unfamiliar or new to it.Why not prescriptive?
Let’s assume it for a while that it is a standard that prescribes you to make backups of your system every 24 hours. But honestly speaking, do you think that it really would be the right idea for you in such a fast paced and always changing technological trends.
For some may be it will work, but in most organizations, backups are required twice in an hour if not possible to make it in real time.Management of Risk is the core idea in ISO 27001:
Naturally, this thought may trigger in your mind that what is good for when it does not even tell me firmly how to secure things especially data. My answer would be that it provides you with a structure so as to enable you to opt for the best and relevant protections that may be in line with your security needs.

You cannot rely on IT alone:
If you are working in an IT department of a company, you will second me when I say that data loss or other incidents do not always happen just because a system may have crashed, it is actually the way users (staff members) usually deal with the systems, means wrongly in many cases.
Such gaps cannot be prevented with the help of safeguarding only. Robust and secure operations would require additional steps in the form of the following:
- A set of clear and precise policies
- Smart Procedures
- Staff awareness and regular training sessions
- Protection by law
- Ensuring that information is handled using the disciplined measures
The role of Top management:

Following is a set of checks that is offered by the said standard in
order to guide the top management in the right directions:
- They must define their
enterprise anticipations (goals) for information
security.
- They must publish a robust
policy on how to manage and analyze whether the set goals have been achieved or
not.
- Data safety
oriented duties shall be designated
accordingly to the most relevant personnel.
- One must ensure regular
reviews whether all the targets are actually met or not
- They must provide adequate human resource and money for things to operate smoothly.
You can avoid deterioration in your company:





In this advanced era, we can never deny the usefulness and the need of the information security consulting firm. They really are the right ones to be approached, to safeguard a business’s information security matters. For a better security hygiene, you must take this advice seriously, certainly it will pay you off a great deal.
