Information can be found in many different forms. Information can be written on paper, can be kept electronically, can be forwarded from somewhere to somewhere else via post or email, or can be expressed verbally between people. Information absolutely must be protect in a suitable manner regardless of what form it is in. 

Ensuring the security of information is possible with sufficiently ensuring the confidentiality, integrity, and availability of information. Information Security essentially aims at the below three elements:

• Confidentiality

• Integrity 

•  Availability

Confidentiality : Information being closed off to the access of unauthorized individuals or preventing information from being disclosed by unauthorized individuals. 

Integrity : To ensure the accuracy and integrity of information and operating systems.

Availability : This means that information is accessable and ready to use when needed even if there is a problem. As a principle of availability, every user must be able to access the source of information they have the right to access at the time they are authorized to do so.

The Information Security Management System, or ISMS for short, is a systematic approach that is adopted with the aim of the institution being able to manage their sensitive information. The primary goal of the ISMS is the protection of sensitive information. The “ISO/IEC 27001:2013 Information Security Management Systems - Requirements” standard is used. This standard contains the requirements for setting up, implementing, monitoring, reviewing, maintaining, and improving the ISMS in the context of all business risks of the institution.

Misperceptions About Information Security Management Systems 

The fact that there is no legal regulation and obligation on information security governance leads to the implementation of information security management in very few institutions in public institutions and the private sector in our country. The legal deficiencies also prevent the proper structuring of information security management. In this situation, managers and personnel who work in institutions that want to establish a Information Security Management System have misperceptions.

The ISO/IEC 27001 Information Security Management System is an international Management System Standard whose field of application exists in all types of organizations, regardless of their sector and size, and that ensures that information of organizations and their customers is held and backed up correctly, provides secure and authorized accessibility, and ensures that third parties are prevented from unauthorized access to this information, in short, it ensures the security of all information and documents belonging to the organization and its customers.

Who is Required to Have the ISO 27001 Standard

ISO/IEC 27001 is suitable for all establishments, both big and small, regardless of which sector it is from. This standard is required in particular in fields where the protection of information is highly important, such as the finance, health, public, and software sectors. 

Basic Principles of ISO 27001 ISMS

The establishment must establish, implement, operate, monitor, review, maintain, and improve a documented ISMS in the context of its business activities and the risks it faces. As a requirement of this standard, the Plan-Do-Check-Measure (PDCA) model constitutes 4 basic principles of the Information Security Management System:

• Establishment and management of the ISMS

• Implementation and operation of the ISMS

• Monitoring and reviewing of the ISMS

• Providing and improving the sustainability of the ISMS

Benefits of ISO 27001 Information Safety Management System Application

• Being aware of information assets: Understanding which information assets there are, realizing their value. 

• Being able to protect the assets: Specifies the methods of protection with the controls that will be set up and protects by being applied.

• Business continuity: Guarantees work for many years. Furthermore, in case of a disaster, is has the capability to continue work.

• Being at peace with interested parties: It will gain the trust of the parties concerned as a result of their information being protected, in particular that of suppliers.

• Protects information by means of a system, does not leave it to chance.

• If the customers evaluate it, it will be appraised better than the competition. 

• Increases the motivation of employees.

• Prevents legal proceedings.

• Provides a strong reputation.

ISO 27001 ISMS Implementation Steps

• Classification of assets,

• Evaluation of assets according to security, integrity, and accessibility,

• Carrying out risk analysis,

• Determination of the controls to be applied according to the outputs of the risk analysis,

• Creation of documentation,

• Application of control,

• Internal examination,

• Holding of records,

• Review of management,

• Certification.

How is the ISO 27001 ISMS Certificate Acquired?

Following the fulfillment of all the requirements of the ISO 27001 standard, an application is made for an external audit. The institution that will carry out the audit first reviews the documentation.

This documentation must include security policy, risk assessment documents, risk action plan, declaration of conformity, and security procedures. Following this review, on-site audits are carried out by auditors at a later date. In this audit, it is examined as to whether or not controls that are appropriate for the size of your establishment and the type of your business have been carried out as described in the procedures prepared by you.

Following a successful audit, an ISO 27001 certificate is obtained. Inspection examinations for renewal are carried out according to the periods you will set either one or two times in the year following the certificate obtained.

The certificate obtained is valid for 3 years and at the end of the third year, re-certification is carried out and your progress in the process is reviewed.