ISO/IEC 27001:2013 Information Security Management System (ISMS)
Note: If you or anyone on your team have any questions, please raise them on GitHub:
https://github.com/dwyl/ISO-27001-2013-information-technology-security/issues
Why?
Security of people's data stored in IT systems is critical for every organization.
Note: We have a general "introductory" tutorial: https://github.com/dwyl/learn-security
if you just need some plain-english background, tips & tools for your team!
Our purpose for creating this repo is to:
- ensure that both we (the DWYL team) and our stakeholders (people who use our app(s) for their business-critical or personal information) have the confidence in our IT systems/process.
- have a checklist we can follow in the case of
- a joiner/leaver (what access should someone joining our team be granted?)
- specific scenario such as a lost/stolen device
- breach of trust by a person with privileged access AKA "privacy incident"
- other "scenarios" such as natural disaster.
- have all documentation in place so that we can apply for ISO 27001 certification (and thus be able to service bigger Organizations which have higher InfoSec requirements)
What?
The ISO 27001:2013 Standard defines requirements for the confidentiality, integrity and availability of information systems.
It's meant to help people (in organizations) think about and implement "controls" which improve IT security.
This repository is our implementation of the "controls" corresponding (policy/procedure) documentation required to ensure that the control is unambiguous to everyone in our team/community!
For comprehensive details about ISO/IEC 27001:2013 see: http://www.iso27001security.com/html/27001.html
Who?
All people in the organization who have contact with Information Technology or data should be given training on IT security. There's no excuse for "naivety" or "ignorance" and "professional negligence" with security will not be tollerated.
None of the "concepts" are "complicated" if you break them down into simple steps.
ISO 27001 Awareness Training: https://youtu.be/kU7ffml7W3Y (beginner-friendly/non-technical intro)
What "qualifies" us...?
You may be reading this thinking what qualifies DWYL to prepare our own Information Security Processes/Procedures...?
While we do not (yet!) have a person "on staff" who is "certified" to "audit" our controls/processes, we do have a co-founder who put in the time/effort to read all the books/standards and work as an "Enterprise Risk Consultant" for long enough to know exactly how to implement the controls/processes. "All" we need to be "certified" is to submit an application to the ISO organization. see: #17
How?
Even though ISO 27001 is a "standard", annoyingly it is not free, instead we have to pay to download it! It costs CHF 118 (Β£92 at the time of writing).
If you do not have the funds, you can always use your Favorite Search Engine
to find a PDF:
https://www.google.com/search?q=iso+27001+pdf+2013
e.g: https://trofisecurity.com/assets/img/iso27001-2013.pdf (the full PDF)
Controls
Once you read through the PDF you should be able to understand all the controls we have implemented: ISO-27001-2013-controls.md
Note: As always, If you or anyone on your team have any questions,
please raise them on GitHub (we'd be delighted to help clarify anything!):
https://github.com/dwyl/ISO-27001-2013-information-technology-security/issues
##Β Further Reading
- What is ISO 27001? (video intro): https://youtu.be/AzSJyfjIFMw
- ISO 27001 Certification: https://youtu.be/mMmpAwmXRNU
- Implementation Guide: http://www.bsigroup.com/Documents/iso-27001/resources/iso-iec-27001-implementation-guide-SG-web.pdf
- "Free" PDF? A bit of searching online and you will find: https://trofisecurity.com/assets/img/iso27001-2013.pdf
(best to Google if the link is broken when you read this...) - Security (Lack of) at Uber: https://www.revealnews.org/article/uber-said-it-protects-you-from-spying-security-sources-say-otherwise/