ISO/IEC 27001

iFACTS on - ISO/IEC 27001 Information Security Management System

 

ISO/IEC 27001 was first launched in the mid 1990´s. It was predicted to pass the ISO EN 9001 Quality management system in terms of certified organizations, but this never happened.

 

Instead it turned into a best practice rather than a certification standard. Companies did not see the value of being certified but appreciated the guidelines as a best practice.

 

It is not surprising that the anticipations were high on the ISO/IEC 27001. There had been such a large number of serious IT-incidents at the same time as companies were totally dependent on the IS/IT to support the business. And as we all know this trend has just continued. What do we do when the network is down?

 

Reading the ISO/IEC 27001 it becomes clear that there is a definition challenge concerning what "Information" is. The large part of the standard address how to control IT-assets, but information can have other forms and shapes not involving IT at all. Reflect on the following types of information:

 

  • The Coca Cola receipt
  • Server
  • Backup station
  • Logistic system
  • IT service System hosting
  • Embedded Control system
  • Competence
  • The Viagra patent

 

 

Another challenge is how IS/IT is integrated in the business. In most cases IS/IT is there to support the business - focusing on IS/IT itself might not be enough. To declare "Information Security" we must understand how it is used in the business.

 

In the iFACTS concept IS/IT is considered as an organizational asset together with other assets such as business processes, projects, competences, patents, production, facilities etc. . All of these assets contribute to the final output of the organization - they all have to interact to reach the company objectives.

 

iFACTS supports information security as a Management system. Examples of modules used:

  • The Asset module to document and control IT assets.
  • The GAP module to build web questionnaires/checklists used for GAP analysis.
  • The Risk module to assess risk scenarios.
  • The Chart module to  map all the dependencies between IS/IT assets and other organizational assets and activities.
  • The ONTRACK report module where assets are presented with a score 0-100%.

 

iFACTS is the single point of entry for organizational data connecting for example IS/IT assets with business process, projects, facilities or risk events - providing the platform for business continuity, information security or management reporting. This also means that all the different management systems are integrated into one.