Skip to main content
search
Articles

SGSI (ISO 27001) - A Pragmatic View!

By September 28, 2015#!28Thu, 28 Feb 2019 10:46:43 -0300p4328#28Thu, 28 Feb 2019 10:46:43 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28 28am28am-28Thu, 28 Feb 2019 10:46:43 -0300p10America/Sao_Paulo2828America/Sao_Paulox282019Thu, 28 Feb 2019 10:46:43 -03004610462amThursday=904#!28Thu, 28 Feb 2019 10:46:43 -0300pAmerica/Sao_Paulo2#February 28th, 2019#!28Thu, 28 Feb 2019 10:46:43 -0300p4328#/28Thu, 28 Feb 2019 10:46:43 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28#!28Thu, 28 Feb 2019 10:46:43 -0300pAmerica/Sao_Paulo2#No Comments

ISO 27001

* Diego Souza 

In an increasingly competitive market you may face the following dilemmas. “What to do to have a differential?”, “How to highlight the company in relation to competitors?”, “My investments are producing the expected return?”.

Technological developments have brought up “problems” for some and “solutions” for others, such as: e-commerce, social networking, consumerization of IT / use of personal equipment (smartphones, tablets, notebooks) generating exposure and corporate information leakage. , as the organization does not apply controls to its infrastructure, or is not prepared for the BYOD wave & #8211; bring your own device and the due awareness of your employees.

Considered a strategic asset for the business, “information” can be considered a survival item for the organization and should be properly treated, protected and managed as to its storage and use, preventing unwanted people from accessing it.

Based on these factors, many companies seek to comply with the requirements set forth in ISO / IEC 27001, whether due to a business concern with the leakage of confidential information, tangible and intangible impacts, or even a demand from commercial or marketing areas, aiming at participation. in public notices, RFPs and / or greater visibility in the market.

But how to protect the information? Many people will say that it would be with implementation of Antivirus, Firewalls and sophisticated tools like DLP (Data Loss Prevention), which would actually be the application of controls only in the technology pillar. And the other pillars (processes and people), how are they? Recalling that when we talk about Information Security, at first we think only of technology, but the pillars processes and people must also be worked, so it is necessary to apply clear policies and procedures, training and awareness campaigns, legal protection. , disciplinary measures, among other methods.

 

Why implement SGSI (ISO 27001)?

Recently updated in 2013 by experienced professionals to ISO / IEC 27001, it is designed to ensure the selection of appropriate security controls and to protect information assets and to provide confidence to stakeholders.

The implementation of the ISMS comprises the setting of controls, guidelines, standards, procedures, framework and other administrative measures that together define how controls and controls are implemented and managed, how assets are protected. and how risks are managed.

The requirements addressed in the standard are generic and can be applied across organizations regardless of type, size or nature.

The benefits and return on investment of establishing the ISMS can be noticed when the organization can through ISMS preserve the confidentiality, integrity, and availability of information. barbados This occurs through:

• Compliance with data protection, IT governance, financial institutions, telecommunications and / or government regulations;

• Greater trust from business partners, stakeholders and customers;

• Reduced IT costs with rework expenses, unnecessary and / or redundant processes;

• Reduction of information leaking incidents and environment shutdown.

Another way to evaluate the value generation from the risk management implemented by the ISMS may have:

• Corporate Governance & #8211; Business vision at strategic level;

• Management of operational and corporate risks;

• Functional and documented processes, through the implementation or determination of policies and procedures;

• Support to security management of physical and logical infrastructure;

• Mechanisms for combining resources with other Management Systems, eg ISO / IEC 20000;

• Improved definition of roles and responsibilities;

• Continuous improvement using the PDCA model;

Conclusion

Although the implementation of the ISMS is considered by many to be a bureaucratic process that constrains the operation with a series of processes and controls, a well-structured ISMS brings management peace of mind, making Information Security care shared and maintained by all employees. , directing efforts in a balanced way.

While implementing the processes that make up the ISMS can bring many benefits to your organization, in most cases the investment is driven by market demand, so the initial concern is really about the certification itself and the new opportunities it brings. will provide the organization, than with the benefits provided by certification.

It is worth remembering that the implementation of the SGSI has no exorbitant costs since the operational costs are easily outweighed by its numerous benefits and as the process of improvement continues its processes aim to increase the maturity of the organization.

 

Tags:

Leave a Reply

Close Menu