Information has become the ultimate competitive edge amid the globalized business world, as the use of the Internet has diffused into all segments of life. Information security aims at ensuring business continuity, minimization of loss resulting from a disaster, and protection of the confidentiality, accessibility and integrity of resources, which are regarded as the building blocks of businesses, under any circumstances. In order to guarantee information security at an organization, the IT systems employed must be up-to-date and must be configured so as to fulfill security requirements.
For information security, an organization needs to have in place structural measures and audits such as the Information Security Management System (ISMS), in addition to adoption of technical measures. ISO 27001 Information Security System is one of the pivotal components of integrated management systems particularly for organizations seeking to achieve institutionalization. Through ISMS, businesses identify their information assets, analyze their potential risk exposure, and decide which controls to implement and to not implement in case such risks occur. Businesses conduct their ‘risk management’ activities in accordance with the “Plan-Do-Control-Act” (PDCA) cycle, and keep working until the risk level of the relevant asset is reduced to an acceptable level.
Information security audits have shown that the following security vulnerabilities are very common:
To make sure there are no known security vulnerabilities in enterprise IT elements, technical security actions are taken, technical security tests are conducted, and IT security is managed by way of a structured framework.
Keywords: Information Security, ISO/IEC 27001:2013, Information Security Management System, ISMS, PDCA