Let’s start with the basics.
What is an ISMS?
An information security management system. It is also the basis of ISO 27001 compliance. This organization management protects confidentiality, availability, and integrity of information by securing people, processes, and technologies.
Information and systems are kept private and safe from unauthorized access (people, processes, or entities)
This aspect of the ISMS involves tangible controls like multi-factor authentication, security tokens, and data encryption. It may also involve special training for individuals with access to restricted or classified data.
Data and systems are accessible to authorized users
Availability typically requires the maintenance and monitoring of systems. From preventing bottlenecks and redundancy to assuring business continuity and upgrading software and hardware systems, the availability of data should prevent data loss and disaster recovery.
Data is complete and accurate
Finally, the integrity of your data examines trustworthiness. Ideally, businesses limit access to confidential data to certain roles or processes. If you have limited access to your confidential data, the protection leads to ISMS integrity. Fewer people and processes touching your data means that there is a lower chance of error, and the data can be trusted.
ISMS is the overarching framework for auditors and the internal organization. An ISMS should describe the purpose of each company policy, and the scope of that policy. It acts as an application letter for ISO 27001 by defining exactly what requirements your company fulfills through policies, practices, and procedures.
Statement of Applicability
ISO 27001 asks businesses to include a Statement of Applicability (SoA) as part of the ISMS. Your SoA, like an ISMS, can be held in a Word document, PDF, or a variety of formats.
The statement should include:
- List of ISO 27001 controls,
- If the controls have been implemented or not,
- The reason to include or exclude the controls,
- and a description of control implementation
The SoA should be reviewed and updated at least annually. While the statement itself probably will not change drastically from year to year, the underlying information within your ISMS should. As your business grows, the information security policies protecting data will evolve and your SoA includes information on those changes.