current scenario: Today’s organizations rely heavily on information systems to manage business and deliver products/services. They rely on IT for development, production, and delivery on various internal applications. The application includes financial databases, employee time booking, help desk and other services, remote access to customers/employees, remote access to customer systems, interactions with the outside world via email, Internet, use from third parties and outsourced providers.

business requirements:Information security is required as part of the contract between client and client. Marketing wants a competitive advantage and can build customer trust. Senior management wants to know the status of IT infrastructure outages or information leaks or information incidents within the organization. Legal requirements such as Data Protection Law, copyright, design and patent regulation and regulatory requirements of an organization must be well met and protected. Protecting information and information systems to meet business and legal requirements by providing and demonstrating a secure environment for clients, managing security between competing client projects, and preventing leaks of confidential information are the biggest challenges for the information system.

Definition of information: Information is an asset that, like other important business assets, is valuable to an organization and therefore needs to be properly protected. Whatever forms the information takes or the means by which it is shared or stored, it must always be adequately protected.

Information Forms: Information may be stored electronically. It can be transmitted over the network. It can be shown in videos and it can be verbal.

Information Threats:Cybercriminals, hackers, malware, Trojans, phishing and spammers are the main threats to our information system. The study found that most of the people who committed the sabotage were IT workers who exhibited characteristics including arguing with co-workers, being paranoid and disgruntled, arriving late for work, and exhibiting poor job performance in general. Of the cybercriminals, 86% held technical positions and 90% had administrator or privileged access to company systems. Most committed the crimes after their employment ended, but 41% sabotaged systems while still employed by the company. Natural calamities such as storms, tornadoes and floods can cause extensive damage to our information system.

Information Security Incidents: Information security incidents can cause disruptions to organizational routines and processes, decreased shareholder value, loss of privacy, loss of competitive advantage, reputational damage leading to brand devaluation, loss of trust in IT, spending on information security assets for damaged, stolen or corrupted data. or incident loss, reduced profitability, injury or loss of life if safety-critical systems fail.

Some basic questions:

• Do we have a computer security policy?

• Have we ever analyzed the threats/risks to our IT activities and infrastructure?

• Are we prepared for natural calamities like floods, earthquakes, etc.?

• Are all of our assets insured?

• Do we trust that our IT infrastructure/network is secure?

• Is our business data secure?

• Is the IP telephone network secure?

• Do we configure or maintain the security features of the application?

• Do we have a segregated network environment for production server, testing, and application development?

• Are office coordinators trained for any physical security outbreak?

• Do we have control over the distribution of software/information?

Introduction to ISO 27001:In business, having the right information to the right person at the right time can mean the difference between profit and loss, success and failure.

There are three aspects of information security:

Privacy: Protect information from unauthorized disclosure, perhaps to a competitor or the press.

Integrity: Protect information from unauthorized changes and ensure that information, such as price list, is accurate and complete

Availability: Ensure information is available when you need it. Ensuring the confidentiality, integrity and availability of information is essential to maintain competitive advantage, cash flow, profitability, legal compliance and commercial and brand image.

Information Security Management System (ISMS): This is the part of the overall management system based on an enterprise risk approach to establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security. The management system includes the organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

About ISO 27001:- A leading international standard for information security management. More than 12,000 organizations worldwide certified to this standard. Their purpose is to protect the confidentiality, integrity, and availability of information. Technical security controls, such as antivirus and firewalls, are typically not audited in ISO/IEC 27001 certification audits: the organization is essentially presumed to have adopted all controls information security requirements. It focuses not only on information technology, but also on other important assets of the organization. It focuses on all business processes and business assets. The information may or may not be related to information technology and may or may not be in digital form. It is first published as the Department of Trade and Industry (DTI) Code of Practice in the UK, known as BS 7799. ISO 27001 has 2 parts ISO/IEC 27002 and ISO/IEC 27001

ISO/IEC 27002:2005: It is a code of practice for Information Security Management. Provides guidance on best practices. It can be used as needed within your business. It is not for certification.

ISO/IEC 27001: 2005:It is used as a basis for certification. It is something Management Program + Risk Management. It has 11 Security Domains, 39 Security Objectives and 133 Controls.

ISO/IEC 27001: The standard contains the following main sections:

• Risks evaluation
• Security policy
• asset Management
• Human Resources Security
• Physical and environmental security
• Communications and Operations Management
• Access control
• Acquisition, development and maintenance of Information Systems
• Information security incident management
• Business Continuity Management
• Compliance

Benefits of Information Security Management Systems (ISMS):competitive advantages: Business partners and customers respond favorably to trustworthy companies. Having ISMS will demonstrate maturity and reliability. Some companies will only partner with those that have an ISMS. ISMS implementation can create efficiencies in operations, leading to reduced costs of doing business. Companies with ISMS can also compete on price.

Reasons for ISO 27001: There are obvious reasons to implement an Information Security Management System (ISO 27001). The ISO 27001 standard meets legal or regulatory compliance. Information assets are very important and valuable to any organization. The trust of the shareholders, commercial partners, clients must be developed in the Information Technology of the organization to take advantage of the commercial advantages. ISO 27001 certification shows that the information assets are well managed considering the security, confidentiality and availability aspects of the information assets.

ISMS establishment:Information security management challenge or technical problem? Information security should be viewed as a business and management challenge, not simply a technical issue to be left to experts. To keep your business safe, you need to understand both the problems and the solutions. To institute ISMS management, 80% role and 20% responsibility of the technology system.

beginning: – Before you begin to institute an ISMS, you must obtain management/shareholder approval. You have to see if you are trying to do it for the whole organization or just a part of it. You must assemble a team of stakeholders and trained professionals. You may choose to supplement the team with consultants with implementation experience.

ISMS Certification (ISO 27001): An independent third-party verification of the organization’s information security assurance based on ISO 27001:2005 standards.

Pre-certification: Stage 1 – Audit Documentation

Stage 2 – Implementation Audit

Post-certification: Continuous surveillance for 2 years Third year re-evaluation/re-certification

Conclusion: Before the implementation of the management system for information security controls, the organization has various security controls on the information system. Information, being a very critical asset for any organization, must be well protected against leaks or hacks. ISO/IEC 27001 is an information security management system (ISMS) standard that ensures that well-managed processes support information security. ISMS implementation leads to efficiencies in operations that lead to reduced costs of doing business.