ISO/IEC 27001:2013 / ISMS

Overview

VHBuild™ is proud to be accredited with the ISO/IEC 27001:2013 certification, which reinforces the fact that our business operation is based on an international standard code of practice for information security and management.

What is ISO/IEC 27001:2013?

ISO/IEC 27001:2013 is the international Information Security Management System standard issued by a third party certification body/registrar, proving that a business has taken necessary precautions to protect sensitive information against unauthorized access and changes. The ISO/IEC 27001:2013 certification helps an organization to protect its information in terms of confidentiality, integrity and availability.

ISO/IEC 27001:2013 is established by the International Organization for Standardization (ISO) that replaces BS 7799-2:2002 as an international Information Security Management System standard.

The ISO/IEC 27001:2013 standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization's Information Security Management System.

ISO/IEC 27001:2013 Content

ISO/IEC 27001:2013 contains best practice controls in the following areas:

• Security policy
  
• Organization of information security
  
• Asset management
  
• Human resources security
  
• Physical and environmental security
  
• Communications and operations management
  
• Access control
  
• Information systems acquisition, development and maintenance
  
• Information security incident management
  
• Business continuity management
  
• Compliance
  

What is an ISMS?

An Information Security Management System (ISMS) is a systematic approach to managing sensitive information to ensure its security. It targets to achieve this in three main areas - confidentiality, integrity and availability, and encompasses people, policies, processes and IT systems.

ISO/IEC 27001:2013 provides a model for establishing, monitoring, reviewing, maintaining and improving an ISMS. The adoption of an ISMS should be a strategic decision of an organization. The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change overtime. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization.

ISO/IEC 27001:2013 outlines the steps that should be undertaken for ISMS establishment, namely the "Plan-Do-Check-Act" (PDCA) model:

• Plan (establish the ISMS)
  
• Do (implement and operate the ISMS)
  
• Check (monitor and review the ISMS)
  
• Act (maintain and improve the ISMS)
  

After an organisation has gone through these steps, the Statement of Applicability shows that they have successfully implemented and applied ISO/IEC 27001:2013 and therefore have enhanced their information security.