Management Clauses: Understanding ISO 27001 Part 2
Adewale Adeife, CISM
Cyber Risk Management and Technology Consultant || GRC Professional || PCI-DSS Consultant || I help keep top organizations, Fintechs, and financial institutions secure by focusing on People, Process, and Technology.
In part one of the ISMS series, I explained that the ISMS can be divided into two main parts.
1. Clause 4-10 introduced October 2022.
2. Annex A
Annex A controls a code of practices that recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity, and availability of information. This Annex A control can be divided into 4 Categories (114 to 93 controls) and it was introduced in March 2022. Clauses 4-10 are the most important part of the ISMS and auditors take it to heart. The Annex A controls are used to supplement the risk in Clause 4-10.
Today's article focuses on the management clauses as Clauses 4-10 establish the “Information Security Management System.”
Clause 4: Context of the organization
This involves understanding the organizational context, the needs and expectations of “interested parties “and defining the scope of the ISMS. Section 4.4 states plainly that “The organization shall establish, implement, maintain and continually improve” the ISMS.
Clause 5: Leadership
Clause 5 enforces that top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities, and authorities. Top management is the topmost representative who oversees and is accountable for the operation of the ISMS.
Clause 6: Planning
Planning outlines the process to identify, analyze, and plan to treat information risks and clarify the objectives of information security.
Clause 7: Support
In support, the goal is to show that adequate, competent resources have been assigned, and awareness raised, documentation prepared and controlled.
Clause 8: Operation
This involves showing additional detail about assessing and treating information risks, managing changes, and documenting things so that they can be audited by the certification auditors.
Clause 9: Performance Evaluation
This is where internal audit comes into play and it involves Monitoring, measuring, and evaluating the information security controls, processes, and management system, systematically improving things where necessary.
Clause 10: Improvement
When you sign up for the ISO 27001 certification, it is an ongoing commitment, and you don't want to lose your certification. The initial circle is three years(One certification year and two years of surveillance audits). In this clause, you are tasked with addressing the findings of audits and reviews(e.g. Nonconformities and corrective actions). The goal is to make continual refinements to the ISMS.
This is just a summary of the management clauses, and my next article will explain the management clauses in depth. Kindly share and leave a comment.
IT Governance Risk & Compliance Manager | CySA+ | CASP+ | ISOx2.
11 个月Thank you
Human Resources Generalist @ Association of the Church of Jesus Christ | MBA, International Business Management, EMBA Conflict Management.
11 个月Thank you for sharing.
Legal Practitioner || I.T. & Cybersecurity Consultant|| IT GRC || Data Privacy and Data Protection Law || LLB, BL, LLM, Alumi Cyblack, GRCAfriq, IGNITE/ISACA
11 个月Simple, clear and concise. ??????
PhD|| UN Women UK Participant for CSW68|| Multi-Award winning Cybersecurity Professional || Teacher|| Keynote Speaker|| Cybersecurity Career Coach and Mentor|| Cyblack||
11 个月Well done ??????