ISO/IEC 27001 – Information Security Management – Lead Implementer


I just got the ISO/IEC 27001 – Information Security Management – Lead Implementer Certification by BSI Group. It was exciting full five days training from BSI group in UK about the Information Security Management System.

The idea behind the course is to help organization build a framework for establishing, implementing, maintaining and Continually improving information security management systems in the context of the organization. Information Security is the preservation of information confidentiality, integrity and availability.

It all starts with identifying the organization internal and external context, and all requirements for internal and external parties, to identify and scope an information management policy that is imposed by top management.

Roles and authorities are then identified to support such requirement, and all resources shall be allocated. Communication and awareness shall take place to support the policy, and to make sure everyone is aware of his role and responsibility.

Risk Analysis will identify risks that should be treated according to a well documented plan, and any non-conformity shall be addressed by a corrective action. Monitoring and measuring then will ensure that the information management objectives are achieved and an audit program is to be established to report the effectiveness of such information security system.

Most organizations are actually doing this without realizing. Suppose that an organization wants to enhance its business offering by allowing payments through credit cards online, an external party in this case is the PCI compliance certification that is required to support e-payments online. This is what we call External Party. The customer want to have an option to pay online so the customer is called Interested Party. Top Management wants to enable such payment method, so it will allocate resources and communicate this new payment option with a commitment to enable secure payment to customer (this is sort of a policy that shall be communicated). From there, risk analysis will take place to ensure credit card information is kept safe and secure, and perhaps an internal audit program will validate those confidentiality measures to top management.

What is interesting about this topic is that Information Security is not an IT or technology concept, as it applies to information in all its form. It could be the knowledge in people’s head or in a piece of paper. Most people think information security is an IT topic, while it has a much bigger scope. We can say that Information Security is big umbrella and IT security is part of it.