What does the ISO27001 contain
  • 28 Aug 2023
  • Pdf

What does the ISO27001 contain

  • Pdf

Samenvatting van het artikel

Being certified according to ISO 27001 means that an organization has secured its information security policy at a high level. ISO 27001 is the ISO standard for information security and the important processes around it.

ISO 27001 actually consists of Part 2 of BS 7799, the standard that describes how information security could be set up in a process-based manner in order to implement the security measures from ISO/IEC 17799.

ISO 27001 is a broad standard and contains a wide range of obligations and measures that an organization must take with regard to privacy, risk analyses, confidentiality and reliability, continuity, communication in the event of incidents, quality checks and cybersecurity, among other things. The following topics will be covered, among others:

  • Policy assurance (management involvement);
  • Organizational (responsibilities clearly visible);
  • Employees (house rules, new employees, registration of incidents, combating fraud and abuse);
  • Physical (locks, alarm systems, fire protection, access control via, for example, biometric security);
  • Software development, infrastructure and maintenance (documentation, ICT architecture, processes);
  • Continuity (calamity facilities);
  • Regulations (Computer Crime Act III, General Data Protection Regulation)

The standard specifies requirements for setting up, implementing, executing and maintaining, checking and improving a recorded Information Security Management System (ISMS), in which the business risks for an organization are made transparent and are safeguarded with processes to monitor and continuously improve the quality of these components.
In addition, the standard prescribes a whole range of requirements for security measures.

Each organization can declare these applicable or only in the Declaration of Applicability, but usually (almost) everything from the list of security measures applies to an organization.
For example, Paragin has only declared the control measures regarding outsourcing of software development (since we have developers within Paragin and do not work with external programmers) and loading and unloading of hardware with sensitive data (which does not happen at Paragin) inapplicable. All other control measures apply to Paragin, for which we have been certified by Lloyd's Register Quality Assurance (LRQA) since October 2015.

More information about our information security policy can be found on our website

Disclaimer: This text was automatically translated from the Dutch version.