envelope  Contact us


ISO 27001 A Standard Providing Framework for Information Security Quality SystemsISO 27001 enables companies and administrations to effectively implement an information security management system (ISMS). This standard shows stakeholders (clients, shareholders, partners, regulators, etc.) that the organization took full account of the security of the information systems and that the organization is engaged in a continuous improvement process.

ISO 27001 defines the tasks and actions for a "Plan-Do-Check-Act" or "Deming Wheel" process to be implemented in the organization. Typically, the ISSM (Information System Security Manager) has this responsibility.

This ISO 27001 approach provides continuous improvement of information security, universality, and completeness of practices, a process-based approach, and developing dialogue and communication among participants on security issues.

William Edwards Deming (1900-1993) [1] is an American scientist who invented the principles of quality and applied them starting in the 1950s during the Japanese Reconstruction . He called his wheel the "Shewhart wheel," having taken it from statistician Walter Andrew Shewhart [2] in 1922. Deming also developed all of the quality principles that led to the ISO 9000 standards. The principle of the Deming wheel is to define one's objectives, implement the method to achieve them, verify that the result obtained is stable and meets objectives, proceed to an improvement, and then begin again.

This virtuous cycle creates the right environment for continuous improvement and renders deterioration more difficult. However, a very common situation in information system security is when even if everything has been done according to the rulebook, on the first day, at each modification, new version or new functionality, the system is no longer secure . Continuous improvement is therefore more important and takes priority in matters of information security. There is no point in analyzing risks if a continuous improvement process is not also implemented in the organization.

ISO published the ISO 27001 standard in 2005, and then updated it in 2013. It stems from a British standard, BS7799-2, published in 2002.

The Best Guides to Supplement the Standard

The ISO 27001 standard is supplemented by many guides, the most notable of which are:

• ISO 27002: Security measures for an ISMS
• ISO 27004: ISMS measuring guide, which explains how to select indicators
• ISO 27005: Risk management for an ISMS
• ISO 27035: Management of incidents related to security

The best-known guide is ISO 27002, however the most useful is ISO 27005, a guide for implementing the risk management part of information security. ISO 27005 defines a risk management process, which is based on a Plan-Do-Check-Act system similar to the overall ISMS, and which freely applies to any sub-part of the ISMS. (cf. Figure 2).

Plan: Identify, quantify, and analyze the risks, and select the appropriate actions to reduce the risks.
Do: Implement the actions to reduce the risks. Educate Senior Management and staff on risks.
Check: Monitor and re-examine the results, the effectiveness, and the efficiency of the risk management process.
Act: Rectify approaches to risk. Improve the risk management process

The risk management process is broken down into two sequential and iterative activities:

• Risk assessment
• Risk processing

Risk management process

This iterative approach is designed to suit the realities of the corporate world where a business may need to quickly take actions at the beginning, before refining the analysis at a later stage during later iterations. This leads to an increased assessment of risks while minimizing the time and effort spent in identifying security measures. If some information is missing and some key interlocutors tight-lipped, the process can still move forward.

After these two iterative steps, the risk owner accepts or approves the risk of the choices made during the risk processing and the residual risks.

The risk owner is the budgetary arbitration authority, usually senior management.

The technical complexity of the interconnected networks makes information system security management more and more inaccessible. On the other hand, the growing awareness of the stakes drives authorities to impose strict rules by legal force. For example, vitally important operators such as healthcare facilities are legally obliged to secure their industrial networks.
ISO 27001 certification is the simplest way to provide stakeholders and clients with a first level of confidence . Last June, three biomedical device manufacturers fell victim to an intrusion [3] that placed malware on equipment that leaks patient data from a healthcare facility.

All of us, whatever our activity, must therefore take an interest in the ISO27001 standard and organize our security in accordance good practices therein.

This article was written by Mr Schauer, Managing Director of the HSC Consultants company

Hervé Schauer Consultants
185, avenue Charles de Gaulle,
F-92200 Neuilly-sur-Seine

[1] http://en.wikipedia.org/wiki/William_Edwards_Deming
[2] http://en.wikipedia.org/wiki/Walter_A._Shewhart
[3] http://www.qmed.com/news/medtronic-admits-hack-attack-says-records-missing-not-affected

LNE DOWNLOAD PDF Download this newsletter in pdf format here.

We serve your passion for progress in the Medical Device (MD) and In Vitro Diagnostics (IVD) industry from the United States

Get a quote proposal


MDSAP Prepare the transition, worldwide market access

clientsWe're Hiring!

Due to our rapid growth in North America, we're seeking Lead Auditors.