ISO 27001 Certification: It’s More than Information Technology

If you think that ISO 27001 Standard is all about Information Technology, you are wrong. It is not confined to IT security controls. This article will discuss nine vital security controls included in the ISO 27001 Standard, which are not related to IT.

Across the globe, an increasing focus and interest in Information security are remarkably visible. Australia is not an exception. Due to the threats of the hackers, frequent reporting of data breaches, and unethical phone hacking, information security has become important for every business. Though all these risks and threats are centred on the failure of some information technology functionalities, a data breach is not confined to Information Technology. Whenever it comes to ISO 27001 Standard, we automatically relate it to IT. However, this ISO standard includes many non-IT information security requirements as well. In this article, we will discuss those aspects of ISO 27001 certification, which are not related to IT.

This article has listed nine Information Security Controls included in ISO 27001 Standard, which are not related to IT.

1. Clause A.7.1.1

When it comes to recruitment, an organisation should do background checks on all candidates. It is also important to include information security requirements in employment terms and conditions. An organisation should make the candidates well aware of the security requirements before they join the organisation. It will help the management avoid any conflict of interest in the future.

2. Clause  A.7.2.2 & A.7.2.3

ISO 27001 Standard makes an organisation train its employees and contractors in information security relevant to their respective designations. Moreover, the organisation will have to discipline those employees who have violated the information security policy. Whenever planning training for the employees, it is important to add valuable sessions on information security to the training program.

3. Clause A.8.1.1 & A.8.1.4

A business should ensure that their security assets have been included in an inventory. The organisation should ensure that the assets are owned. In the event of termination of employment, people need to return any assets in their possession. The business should arrange a register for keeping all the records of information security assets. 

4. Clause A.8.2.1 & A.8.2.2

An organisation should classify and protect its information. Confidential information needs better protection in comparison to the information that is not so critical. The information should be labeled according to importance. Some businesses overlook classifying the information. In such cases, they may fail to meet ISO 27001 requirements. 

In order to gain the ISO 14001 Certification, organisations need to identify the possible threats their operations are posing to the environment. Next, based on the severity, the organisations should deal with the threats. Same way, the importance of the information should be measured to classify confidential and minor information for ISO 27001 requirements.

5. Clause A.8.3.3

When it comes to physical media transportation, an organisation should protect the information sincerely. Any vehicle an organisation uses should be secure. In such a condition, that information will be protected from damage when it is being moved around. These vehicles should include cars, trains, motorbikes, trucks, couriers, and planes. 

6. Clause A.11.1.2 & A.11.1.4

Physical entry controls should be in a place where information has been kept and processed. These areas should be protected against natural disasters or accidents. Here, two issues should be considered- 1) Keeping unauthorized people out, 2) never storing valuable information in the basement if there is any chance of flooding. 

7. Clause A.11.1.6

ISO 27001 Standard prohibits unauthorized entry from delivery, loading, and other similar areas. Organisations should make sure that the entrances are secure. This can be awkward if entrances are left open to move things in and out. It is also important to ensure that sensitive or highly confidential information is not kept easily accessible.

8. Clause A.11.2.9

A business should keep the desks clear of papers and portable devices when it is not in use. The management should make it clear that the employees should not leave vital things on their desks or anywhere else, whenever they are away from their sitting arrangement, they should lock their important documents in a locker.

9. Clause A.11.2.3

Cables that carry data or support information services should be protected from damage. Data cabling should be correctly routed to avoid any kind of damages. The organisation should not be just trailed across the floor.

A Final Takeaway

These nine information security controls are not related to Information Technology; still, these are prioritized by the ISO 27001 Standard. For gaining ISO 27001 Certification, an organisation should pay attention to each of these nine elements. The information security controls discussed above are included in Annex A. This section challenges the idea that ISO 27001 Standard is all about Information Technology.

Author Bio

Damon Anderson is a leading ISO 27001 Certification consultant having expertise in security control management, environment management, and quality management. He is a regular blogger. His blogs are a powerhouse of information about ISO 14001 Certification and ISO 9001 Certification. 

Sponsor Ads

• Ad Space Available - Rent it Now!

Report this Page

Created on Jun 18th 2019 08:03. Viewed 423 times.

Share on APSense

Comments