ISO 27001:2013 is the latest version yet for ISMS Certification. Like other management system standards such as ISO 9001, 14001, 20,000, 45001 it has 10 clauses:
- Scope
- Normative References
- Terms and Definitions
- Context Of the Organization
- Leadership
- Planning
- Support
- Operation
- Performance Evaluation
- Improvement
The most important requirement for this standard is security threat. Online security threats are including Online hacking, data breaching, data theft, online robbery, money stealing from bank account etc are very common and great concern for IT and data management firm.
Clause 6 and clause 8 are the main clauses where an IT firm can work with more concentration. In the clause 6 it is told about planning. This planning should be done very carefully before starting implementation of ISO 27001 Standard throughout the processes of an organization.
Information security risk assessment and Risk Treatment both the two things are very important for a company who are going to implement this ISMS standard in his organization. Establishment of processes for risk assessment and treatment should be focus point of this clause. To do this two jobs carefully helps can be taken from ISO 31000 Standard.
Specially for financial organizations including bank, insurance, leasing company etc who are thinking to adopt this 27001 standard they should do this two things very carefully. If data or client information is disclosed by online hacker then there is a great loss for that organization. So, unauthorized network or server access is a very very risky incident for an financial institute. Risk assessment time this kind of risk should be taken very seriously.
After identifying risk what will be the possible treatment procedures to measure the risk and what will be be mitigation plan to minimize the losses against those risks. All this things should be clarified very carefully during the working time on the clause no 6.
Another important clause is Operation related and it is 8. It is the main process of a company. Most of the incidents happen in this stage. Due to lack of security knowledge of IT Staffs many risks are happened in this operation section. So, 8.2 and 8.3 Sub clauses can be implemented very carefully to minimize any loss in this section. But nothing is written with elaboration in this two sub clauses. That’s why an 27001 Consultant can guide you how to assess the risk and how to minimize the risk in operation.
Software attacks, theft of intellectual property or sabotage are just some of the many information security risks that organizations face in this operation section. And the consequences can be huge. Most organizations have controls in place to protect them, but how can we ensure those controls are enough? The international reference guidelines for assessing information security controls have just been updated to help. ISO 2700, 27002 and 27008 can be good references to work more closely on those risks.
Prof. Edward Humphreys, said,“In a world where cyber-attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organization’s business processes,”
ISO 27001 is based on PDCA Plan. So before implementation of this ISMS standard you should consider the meaning of P. P means Planning. It should be done carefully. If your planning is not proper and related with your activities then implementation cannot be effective and successful.
So, an expert consultant on 27001 Standard can help you to do the plan properly by focusing on clauses 6 and 8 before real implementation of ISO 27001. Not only for that two clauses rather he will guide you how to apply other clauses like 6,7,9,10 etc in your processes to get real test of ISO 27001:2013 Certification in your organization.
But the problem is lack of 27001 consultant in Bangladesh. Hiring a foreign consultant is a matter of high cost. It is not hard for small and medium size financial organization and IT firm to hire an 27K foreign expert. On the other-hand it is also tough for many organizations to implement 27K requirements just buying some documents from online. There are two causes of it first of all the staffs have no enough time and they are not certified auditor on 27 standard.
So, to implement ISO 27001 requirements properly in your organization there is no alternative to hire a local consultant. Before implementing 27k requirements an ISMS consultant should study your processes and operation by regular visit plans. After introducing with your processes he will help to asses your risks and establishing your risk treatment plan to mitigation the risk.
AAS-BD has some local 27k Consultants who have working experience with foreign 27k expert in Bangladesh for the last 10 years. So, find your 27 implementer in Bangladesh contact now with AAS-BD.