Today's world is now the world of knowledge. What companies, organizations, states, people and society have in common is that they live in the information age. Knowledge has become an indispensable element of competitive and success in the production and consumption of a good or service. As such, it is inevitable that information is safe and reliable. Regardless of the nature of the work or the form of the process, information security must be ensured and managed in an effective, continuous and successful manner in the management of all processes, even if technology is not linked. Effective management of processes also requires effective management of information security processes.
If a company does not have information security strategies and effective methods to manage them, it is inevitable that these organizations will experience serious problems and material losses not only in terms of security but also in the management of operational and all other business processes.
All kinds of information used in business life and shared for business purposes are valuable and should be protected. Today, all kinds of valuable information is kept in computer environments.
Information security is of utmost importance in ensuring the continuity of each organization and is intended to ensure the protection of the organization's critical and confidential information and other information assets, particularly in electronic environments.
Information security problems and risks exist not only for large companies, but also for government, non-profit organizations, schools and similar organizations, even at different levels. This reality is experienced every day in our country and throughout the world in ever-increasing dimensions.
In short, information security management is gaining importance in a way to cover ever-changing and increasingly important risks in parallel with international standards, relevant national or international legal regulations, commercial obligations, measurement methods, developing technologies and changing business processes. is becoming one.
Various researches are carried out by many local and foreign organizations on information security. Among these, the results of a study conducted in 2005 to cover only our country are quite striking. According to the results of this internet security survey, which includes more than a thousand internet users and nearly one thousand companies, it is seen that 65 does not use a firewall (percent) of internet access. 43 percent of web servers are at risk of their information being easily playable, changing home pages, or moving them to another address. Only a percentage of companies and Internet users are protected against spyware (spyware) 30. 22 percent of DNS servers have security vulnerabilities and e-mails can easily be intercepted or stolen by the employees' banking passwords over the Internet. In short, almost half of the respondents are at risk from future security threats over the Internet.
ISO 27001 Information Security Management System
If, for any reason, an organization is unable to secure the information it possesses, then it may become a victim of its customers before it, its activities may slow down, even stop, resources will be depleted unnecessarily, the company loses reputation and may be liable to third parties. ISO / IEC 27001 Information Security Management System standard has been developed by International Standards Organization in order to avoid all these negativities. This standard is designed to help organizations protect and manage their valuable information assets. This standard, prepared by the United Technical Committee established by the International Standards Organization in conjunction with the International Electrotechnical Commission, is the only international standard that is designed to ensure information security and adequate and proportionate security controls.
The companies that set up and manage the ISO 27001 Information Security Management System in their businesses determine the information infrastructure and analyze the possible attacks and possible risks to the information assets and decide what should be done in case of such hazards.
The ISO 27001 standard provides companies with the opportunity to identify what risks are necessary to protect information, and to take measures to eliminate or minimize these risks.
Importance of Information Security Risk Measurement
There are a wide range of methods for information security risk measurement and assessment, and a wide range of software that uses these methods. However, the value of the relevant information assets to be measured and evaluated beforehand should be determined. Then, it should be analyzed which probability, which security vulnerabilities or weaknesses, and the extent to which threats will have a bad impact on these information assets. In this way, the potential loss of information assets is calculated in case the risk occurs. After all risks are calculated in this way, which risks are prioritized for the establishment, the extent to which these risks should be reduced, the solutions to be applied to reduce the risks to the desired level, the measures to be taken and the controls to be performed are determined and the costs of implementing these solutions are analyzed. During these studies, the extent to which the measures to be taken and the solutions to be implemented are effective and effective are also taken into consideration.
Information assets, As with all commercial assets, it is a valuable resource for businesses and needs to be properly protected. The right management system to ensure this ISO 27001 is an Information Security Management System. With the implementation of ISO 27001 standard in the company, the necessary risk measurements and evaluation studies are carried out and the protection of information assets has become a system. Information assets with ISO 27001 Information Security Management System, to minimize possible commercial losses, is protected from threats and risks in order to maximize the return on commercial investment and opportunities and to ensure commercial continuity.
What are ISO 27000 Standards
The ISO 27001 standard is not stand-alone. ISO 27000 standards are actually multiple standards. These standards are as follows:
- TS ISO / IEC 27001 Information Technology - Security Techniques - Information Security Management Systems - Requirements (This standard specifies the conditions for the establishment, implementation and improvement of the Information Security Management System and is the basic standard of the system)
- TS ISO / IEC 27002 Information Technology - Security Techniques - Code of Practice for Information Security Controls (this standard is a guideline for enterprise information security standards and information security management practices, including the selection, implementation and management of controls considering the organization's information security risk environment)
- TS ISO / IEC 27003 Information Technology - Security Techniques - Information Security Management System Application Manual
- TS ISO / IEC 27004 Information Technology - Security Techniques - Information Security Management - Measurements
- TS ISO / IEC 27005 Technology of Interest - Security Techniques - Information Security Risk Management
- TS ISO / IEC 27006 Information Technology - Security Techniques - Requirements for Organizations Performing Audit and Certification of Information Security Management Systems
ISO 27001 Standard For Which Organizations
To establish the ISO 27001 standard, organizations do not require specific features. Any organization operating in the private sector or in the public sector may establish ISO 27001 Information Security Management System in their enterprises regardless of the sector or size in which they operate and may request ISO 27001 Certificate if they meet the requirements of the standard in place.
There are no restrictions on the application of ISO 27001 standard. The important thing is that the organization has a presence of information to be protected. However, when we look at the application, it is seen that banks and financial institutions, health institutions, pharmaceutical companies, companies operating in the automotive and chemical industry, governmental organizations and institutions that use information technologies predominantly use this system. Protection of information is more important in these branches of activity.
Why Information Security
There are three factors that need to be addressed in information security: ensuring that information is kept confidential, maintaining the integrity of information, and ensuring that information is accessible.
In short, information should only be accessible to persons granted access. Persons authorized to access information should have access to this information whenever they need it. The integrity and accuracy of the information provided must be guaranteed.
With the ISO 27001 Information Security Management System, the confidentiality of information assets is protected and information is prevented from being corrupted or changed by unauthorized persons. Accurate and reliable information is provided by authorized persons only at the requested time. The deterioration, loss or misuse of information assets is prevented or minimized by various control systems. The business continuity of the company is not interrupted due to information damage. At the same time, all employees have created an awareness of information security.
What are the main objectives of the ISO 27001 Standard
In line with the explanations made so far, the main objectives of the ISO 27001 standard can be explained as follows:
- Identify potential information security vulnerabilities of the firm
- Systematically monitoring risks that threaten information assets
- Identify controls to ensure the security of information assets at risk
- Ensuring that necessary controls are performed
- Keeping possible risks at acceptable levels
- To ensure continuity of information security controls to be made by the company
- To determine and implement the management processes in order to realize all these issues
The ISO 27001 standard covers the organizational structure, policies, activities, responsibilities, implementation instructions, business processes and resources of the company that installed this system.
Today, information has become more and more difficult. As information technology evolves, security problems also grow. It is a fact: society has become an information society, but the way to protect against risks is not to spend more money on cognition and to use security technologies more. Organizations and people need to be aware of and use the right security solutions and strategies at the right time and in the right place.
In order to be able to talk about an effective and successful information security management, it is necessary that the senior management is owned and supported by the employees in order to raise awareness among the employees through various training and organizations.
In order to obtain the expected benefit from information security studies, it is necessary to identify the priority risks for the company, to find suitable solutions to reduce these risks, to implement these solutions correctly, to monitor the applications regularly and to make continuous improvement by making necessary improvement works. The ISO 27001 Information Security Management System standard is the right tool to meet this expectation. However, the most critical success factor in information security is willingness, awareness and knowledge. The point to be achieved in information security studies should be that information security becomes a corporate culture over time. Because the unconscious, malicious or carelessness of the employees of the company is much more risky and harmful than the attacks to be done outside the company.
27001 Information Security Management System is a system that should be kept alive in the company, adapt to the changes and be open to continuous improvement.
our organization TÜRCERT Technical Control and Certification Inc., ISO 27001 Information Security Management System certification studies, national and international accreditation organizations are based on the authorization.