ISO 27001 Information Security Management Standard - Clauses 0, 0.1, 0.2, 1, 2 and 3

Posted by Craig Thornton

Part 12: Clauses 0, 0.1, 0.2, 1, 2 and 3 Introduction, Scope, References, Terms and Definitons 

As I wrote in the sister compendium to this blog (The Ultimate Guide to Achieving ISO 9001:2015 Certification), ignoring these introduction clauses is like ignoring the first third of a movie. It’s “…where the fundamentals of the story are laid out, where all the characters are introduced, and where all the groundwork is laid”.

Data Controller on Black Control Console with Blue Backlight. Increase, improvement, control or management concept..jpeg

You need to read these clauses carefully and understand them.

Clause 0.1 General

The main points of this clause are:

  1. The standard gives you the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Follow those requirements and you give confidence to interested parties (i.e. customers) that you are managing your information security risks.
  2. Adoption of these requirements needs to be a strategic decision. Strategic decisions come from top management or from Boards of Directors.  Make sure your Board has agreed to meeting ISO 27001.
  3. The ISMS will help preserve the confidentiality, integrity and availability of information.
  4. You need to use risk management processes in your ISMS.
  5. You need to integrate your ISMS with the rest of your organisation’s processes and overall management structure. It is not to be “silo-ed”, kept separate or used just by the IT Department.
  6. The standard can be used as an audit tool by interested parties. Here at Mango we have lots customers - and potential customers - who use this standard to assess our information security processes.
  7. You also need to read and understand ISO 27000:2016. The ISO 27000 standard gives you the overview, the principles and the vocabulary so that you can understand ISO 27001:2013.

0.2 Compatibility with other management system standards

The structure of the ISO 27001:2013 standard is based on the Annex SL framework. This allows for identical sub-clause titles, identical text, common terms, and core definitions with other standards like ISO 9001, ISO 14001, ISO 22301, ISO 45001 and all other new management system standards from ISO.

Therefore, you can integrate easily with these other standards. 

Your aim should be to operate a single management system, and thus reduce duplication, bureaucracy and wasted time.

1 Scope

The requirements specified in the ISO 27001 standard are to be within the context of your organisation. Therefore, determining your organisational context is very important.  This is so you don’t overdo your system and start trying to meet something you don’t need to achieve.

The clause repeats that you need to use risk management processes for you ISMS.

The standard also fits all size organisations.

Finally, there are no exclusions allowed in this standard.

2 Normative references

This clause means that ISO 27000 is indispensable to the application of ISO 27001.  Therefore, you must get your hands on ISO 27000, read it, understand it and use it freely in your ISMS.

3 Terms and Conditions

This is another reason to understand ISO 27000.  All the terms and definitions that are given in ISO 27000 apply to ISO 27001.

 

Takeaway

  1. Read these introduction clauses carefully and give yourself a good understanding.
  2. Get your Board to make certification to ISO 27001 a strategic decision.
  3. Committ to using risk management throughout your ISMS.
  4. Look to integrate your ISMS with your other management system standards.

 

Integrated_Management_System_manuel.jpg

 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents

ISO 27001 Information Security Management Standard: Principle 9 - Ensuring a comprehensive approach to information security management 

 ISO 27001 Information Security Management Standard: Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification