A management system is a set of processes to achieve certain objectives. The scope of the management system can relate to one site or more multiple sites of the organization – and it can cover all or some of the processes of the company. Now an information security management system, or in short an ISMS, is a management system which focuses solely on process building that will safeguard an organization’s information.
ISO 27001 and ISO 22301 are related because having a business continuity plan is important to have good information security.
ISO 27001 follows the HLS (high-level structure) as followed by other standards, including ISO 9001, ISO 14001 and ISO 45001. This means that ISO 27001:2022 has 10 Clauses.
The official definition of an ISMS is “policies, procedures, guidelines resources and activities to be managed by an organization in the pursuit to manage its information assets”.
Most importantly, when implementing a management system, we have to focus on continual improvement.
Some of the benefits of implementing an ISMS are:
- Reduce risks to IS and ensure business continuity
- Protect valuable assets and sensitive information
- Have a competitive advantage & enhanced reputation
- Give increased peace of mind to customers
The above benefits are critical to sustaining a growing business. If any of the above is missing; it really is a big problem. A car has “breaks” so that you can drive faster – knowing that you can slow down whenever you want to.
Now let’s talk about the Clauses of the Standard. Starting from Clause 4. Clauses 1-3 have no requirements to implement.
Context of Organization
The stakeholders (internal and external) and their needs. This is what will give us critical information on how to build the system – to meet the requirements of each of these stakeholders. For example, if there any regulatory requirement – we might need to report the information is a certain way.
Scope of Certification
For ISO 27001 this relates mostly to the control that will not be included in Annex A. The organizational boundaries of the scope of certification are:
- Key processes
- Departments
- Locations
- Stakeholders
Getting the scope of certification accurately is important because:
- It helps to define the audit objectives
- Gives clear guidelines on what can the auditee say that is included in their ISO certification within their marketing material
The scope of certification can be extended or changed with time. A recent change in the existing processes can trigger an initialisation of a change in the audit scope.
Naturally, if the scope of certification is changed, the certification body, the auditor and the auditee would need to sign off on this change. Upon the change of the scope of certification, the duration and other audit objectives would need to be revisited.