At the international level, ISO/IEC 27001: 2013 (SR EN ISO/IEC 27001:2018 – Romanian Standard) is the most well-known standard within the 27000 series – standards designed by ISO to help organizations manage information security.
ISO/IEC 27001:2013, the first ISO standard for management systems to adopt Annex SL of the ISO Directives – High level structure (High Level Structure), can be applied to any type of organization in the public or private sector, commercial or non-profit, regardless of size, structure, products or services offered because each of them collects, processes, stores or transmits information in various forms, from electronic to verbal ones.
This standard specifies the requirements for the establishment, implementation, maintenance and continuous improvement of an information security management system taking into account the context of the organization (size and structure, specific processes, needs and objectives, security requirements, requirements of interested parties - new laws and regulations, etc.).
According to the ISO/IEC 27002:2013 standard "Information technology. Security techniques. Code of good practice for information security management", it is particularly important for the organization to identify its own security requirements considering the following sources:
risk assessment for the organization based on the general business strategy and objectives;
statutory, regulatory or contractual requirements that must be fulfilled by the organization, but also by commercial partners, subcontractors or service providers;
principles, objectives and business requirements for the use, processing, storage, communication and archiving of the organization's information.
The implementation of the information security management system seeks to preserve the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to the interested parties that the risks are managed appropriately.
The implementation of the information security management system seeks to preserve the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to the interested parties that the risks are managed appropriately.
The adoption of an information security management system must be a strategic decision, as it is very important that this system be an integral part of the global management processes and structure, and that information security be taken into account when designing the processes, information systems or means Control.
The adoption of the ISO/IEC 27001:2013 standard implies the implementation of an appropriate set of control means such as policies, processes, procedures, organizational structures and software and hardware functions starting from the evaluation and treatment of information security risks in the organization. The evaluation of informational risks aims to identify the threats to the resources, establish the vulnerabilities to them and the probability of their occurrence.
The effective implementation and certification of the information security management system in accordance with ISO/IEC 27001:2013 (SR EN ISO/IEC 27001:2018) guarantees the organization's management and other interested parties that the organization's resources (written information, images, organizational knowledge, concepts, brands, etc.) are secured and reasonably protected against damage, thus favoring the lasting success of the organization.