The main purpose of this system is to protect sensitive information. This system includes employees, business processes and information technology (IT) systems.
The most widely used standard in information security management is the “ISO/IEC 27002 Information Technology – Security Techniques-code of practise for Information Security Controls” standard. This standard sets out general principles and guiding information to initiate, perform, maintain and improve information security management within businesses. “ISO 27001 Information Security Management Systems” standard is used for the certification of the ISMS established by obtaining the ISO/IEC 27002 guide. This standard covers the requirements to establish, realize, monitor, review, maintain and improve a documented ISMS in the context of all business risks of the organisation. In order to meet the business risks, how the control objectives set out in ISO/IEC 27002 will be implemented and audited within the organisation is determined in ISO/IEC 27001.
ISO/IEC 27001 and ISO/IEC 27002 standards are the most basic reference sources on ISMS. These two standards directly address the issue of information security. Institutions are free to choose the methods and technologies to be implemented.
Within the scope of ISO 27001 Information Security Management System standard, PDCA (Plan – Do – Check – Act) model is used for the establishment, implementation, operation, monitoring, review, maintenance and review of ISMS. The PDCA model takes the information security requirements and expectations of the relevant parties as input and produces information security results that will meet these requirements and expectations through the necessary actions and processes.
In order to take precautions to comply with the principles of confidentiality, integrity and accessibility in all processes and assets included in the scope of information security management, the following risk management activities are carried out. It is aimed to keep the risk level for each asset below the acceptable risk level.
Risk management and implementation of controls is a continuous activity, and it is aimed to make improvements for risks that fall below the acceptable risk level.
Some of the Related Documents
- Asset Inventory Preparation and Management Procedure.
- Risk Assessment Procedure.
- Network Devices Security Procedure.
- Network Management Procedure.
- Information Technologies Technical Equipment Maintenance Procedure.
- Wireless Communication Procedure.
- Authentication and Authorization Procedure.
- Procedure for Detecting Vulnerabilities.
- Information Systems Acquisition, Development and Adaptation Procedure.
- General Use Procedure of Information Systems.
- E-Mail Procedure.
- Anti-Virus Usage Procedure.
- Internet Usage Procedure.
- Encryption Procedure.
- Change Management Procedure.
- Portable Storage Device Use Procedure.
- Building Security Procedure.
- Database Security Procedure.
One of the most basic features that distinguish the ISO 27001 Standard from other standards was that it included risk assessment and required it for processing the assessed risks. With the Annex SL structure, which is also included in the new standard, risk assessment has become mandatory in all standards that will use this guide.
The standard on how to evaluate the risk associated with the ISO 27001: 2013 version directs us to the ISO 31000 Risk management standard.
The standard does not put pressure on us to do asset-based or process-based, but “The information covered; Identifying risks related to loss of confidentiality, integrity and accessibility”. In other words, the effect of the risk you determined for the process or asset on these three values may differ, and the threat should be evaluated according to these three values while evaluating the risk.
The concept of RISK OWNER is important to the circuit. The part we formerly called asset owner appears as the RISK OWNER in the new risk assessment. The standard wants to identify the risk owners for all the identified risks. Within the ISO 27000 standard, the risk owner states that the risk owner can be a person or a department.
After determining the risk owners, the obtained risk assessment results should be prioritized before starting the risk processing plan. As soon as this prioritization takes place, the risk processing plan is started. The ISO 27001 Standard requires the determination of all controls to be applied for the processing of risk in the risk processing process. It requires that these controls be compared with the 114 items in ANNEX-A and to confirm that no control has been overlooked. After these controls are taken, the new risk score is calculated according to the determined risk processing methodology and the approval of the risk owners of the risk processing plan is obtained.
After the risk processing plan is completed, transactions are carried out to accept the residual risks, which are the remaining risk values. for Residual Risk, you can look at article 2.27 in the ISO 31000 Risk Management Standard.
In other words, since we can never reduce the risk to ZERO (0), we always have a risk.