The influencing factors for the establishment of the ISO27001 system include physical security, personnel permissions, PII data protection, etc. The elements of the ISO27000 system include confidentiality, integrity, and availability. Below, the editor will provide a detailed explanation for everyone.

1、 How to better establish an information security system for Party A as Party B

1. Important points for establishing a system

(1) Understand customer needs;

(2) Develop information security plans based on needs;

(3) Leadership support;

(4) The cooperation of all employees;

(5) Sufficient service capability of Party B

2. Understand customer needs

In the early stage of project approval, which is the pre-sales stage, it is necessary to communicate with the customer and understand why they have established an information security system. For example, ISO/IEC 27001 information security management system. The main intentions of most domestic companies are as follows:

(1) Stakeholder requirements: The company's suppliers will have a requirement for you to pass ISO27001. If not, there will be obstacles in cooperation;

(2) Bidding: This bidding is relatively straightforward. Some companies bid for their own projects, but their bidding requirements may have a veto item, but ISO27001 cannot participate;

(3) What does it mean to provide comfort to one's own customers? It's just that doing some companies is for the sake of providing comfort to their customers and simply for obtaining certificates;

(4) Company's independent requirements: This type of customer is a good customer, with high cooperation and the ability to implement implementation, and this type of customer is mainly from foreign enterprises.

In summary, domestic enterprises make money before managing, while foreign enterprises manage before making money. This is the difference in information security management construction between different types of enterprises.

3. Develop security plans

The security plan is formulated based on the needs of the customer and needs to be in line with their actual situation. Let's take a practical example of system construction. I have worked for a customer before, a certain e-commerce platform, which is one of the top in China, and they have their own information security team with a large scale. Through understanding their daily information security, they have done well, and have also developed internal information security management strategies based on many system standards, such as ISO27001, ISO270018, ISO27701, ISO20000, etc. Their autonomy is high. Through early communication, their pain points are physical environment security, personnel permissions, and PII data protection.

4. Physical security

What are the pain points of their physical security

(1) There is no physical isolation in the office area. In order to pursue an unconstrained office environment, some important finance, legal, and information security departments have not been physically isolated. Through on-site inspections, it can be seen that they have not taken any security measures even when processing sensitive data;

(2) As it is an e-commerce platform, most of the employees are relatively young and do not like to wear employee cards. They only brush their faces when entering and exiting the office area, and the access control is not an automatic locking access control. In addition, employees have weak awareness of information security, and even if outsiders follow, no one is aware of it. They can freely move around the office area;

5. Personnel permissions

Their personnel permissions are quite chaotic, mainly in the following aspects:

(1) Personnel who do not belong to the department have the highest authority over the systems involved in the department;

(2) As a data export specialist, I can export a large amount of personal data locally, and there is no backup candidate available;

(3) All personnel have printing permissions.

6. PII data protection

As an e-commerce platform, the most frequently accessed data is undoubtedly the user's PII data. When a user purchases something on this platform, their personal data name, phone number, and address will be saved. Although this company has corresponding control measures, there are also some unresolved issues:

(1) Customer service personnel are able to access PII data and even work from home. Although the computer terminal has encryption software, it cannot control taking photos;

(2) Even if the encryption system is installed, there are corresponding defects in the system, as downloading data from a certain cow cannot actively encrypt it;

2、 ISO27000 Information Security Management System

The accredited certification for ISO/IEC 27000 is a certification that an organization's Information Security Management System (ISMS) meets the requirements of ISO/IEC 27000. This is a guarantee provided after an authoritative third-party audit: the certified organization has implemented ISMS and meets the requirements of ISO/IEC 27000 standard. Organizations that have passed certification will be registered. ISO/IEC 27000 can serve as a basis for evaluating an organization's ability to meet information security requirements determined by customers, the organization itself, and laws and regulations.

1. The significance of establishing an ISMS for organizations

Organizations can refer to the information security management model, establish a complete information security management system according to advanced information security management standards, implement and maintain it, achieve dynamic, systematic, all staff participation, institutionalized, and prevention oriented information security management methods, reduce the probability and results of information risks to an acceptable level at the lowest cost, and take measures to ensure that business will not be interrupted due to the occurrence of risks. The establishment, implementation, and maintenance of an information security management system by the organization will:

(1) Strengthen employee awareness of information security and standardize organizational information security behavior;

(2) Comprehensive and systematic protection of key information assets of the organization to maintain competitive advantage;

(3) Ensure continuous business operations and minimize losses when information systems are invaded;

(4) To instill confidence in the organization's business partners and customers.

2. The Three Elements of ISMS Information Security Management System

(1) Confidentiality: Ensure that only authorized individuals can access information.

(2) Integrity: Maintain that the information provided for use is correct and complete, free from damage or tampering.

(3) Availability: Ensure that authorized users can access and use relevant information when needed.

Overall, all technologies and theories related to confidentiality, integrity, availability, traceability, authenticity, and reliability protection are within the scope of information security research and the goals that information security aims to achieve.

3. Why is ISMS certification required

According to a CSI/FBI report, 65% of organizations have experienced at least one information security incident, and this report also indicates that 97% of organizations have deployed firewalls and 96% have deployed antivirus software. It can be seen that our information security measures are not effective, and the current situation of information security is not optimistic.

In fact, only by implementing good information security management at the macro level, such as adopting internationally recognized best practices or rule sets, can security at the micro level, such as physical measures, be effectively implemented. Adopting the ISO/IEC 27000 standard and obtaining certification is undoubtedly one of the solutions that organizations should consider.

Its advantages are:

(1) Prevent information security incidents, ensure the continuity of organizational business, and ensure that important information assets of the organization are protected in accordance with their value, including preventing:

① The leakage, loss, tampering, and unavailability of important trade secret information;

② The information systems that important businesses rely on are interrupted due to malfunctions, viruses, or attacks;

(2) Save costs. A good ISMS can not only save organizations costs by avoiding security incidents, but also help them plan information security expenses reasonably, including:

① Arrange investment priorities for security control measures based on the risk level of information assets;

② Not investing in security controls for acceptable information asset risks;

Maintain good competitiveness and successful operation of the organization, enhance its image and reputation in the public, and maximize investment returns and business opportunities;

Enhance the trust and confidence of customers, partners, and other relevant parties.

4. The Importance of Information Security

(1) Maintaining an organization's competitive advantage, financial flow, efficiency, legal compliance, and business image are all crucial.

(2) Any organization and its information systems (such as an organization's ERP system) and networks may face a wide range of security threats, including computer-aided fraud, espionage, sabotage, fires, floods, and more. With the increasing development and popularity of computers, computer viruses, computer theft, and illegal server intrusion and destruction have become increasingly common and complex.

(3) At present, some organizations, especially larger companies, rely entirely on information systems for production business management, which means that organizations are more vulnerable to security threats. The interconnection of networks within organizations and the sharing of information resources have increased the difficulty of implementing access control.

(4) Some organizations may have considered security in their information systems during design, but relying solely on technical means to achieve security is still limited and should be supported through management and procedures.

(5) A survey conducted in the UK found that 80% of information loss is related to human factors. So preventing information risks caused by human factors is considered the main control object of information security. Information security is achieved by implementing a set of appropriate controls. It can be achieved through policies, practices, procedures, organizational structure, and software functionality, and these control methods need to be determined to ensure the achievement of specific security goals for the organization.

5. Application materials required for consulting certification

1) Certification application requirements:

(1) The applicant should have a clear legal status;

(2) The audited party has established a documented management system in accordance with ISMS standards;

(3) Before the on-site audit, the management system of the audited party shall be effectively operated for at least three months and a complete internal audit and management review shall be conducted.

2) List of materials required for ISMS certification

(1) Legal status certification documents (such as business license of enterprise legal person, organization code certificate);

(2) Effective qualification certificates, mandatory product certification certificates for product production licenses, etc. (when needed);

(3) Organizational profile (product and technical standards related to the product/service, mandatory standards, equipment used, personnel situation, etc.);

(4) The production, processing, or service process flow diagram of the certified product application;

(5) Provide a list of service locations and multiple locations;

(6) Management manual, program files, and organizational chart;

(7) Number of servers and terminals;

(8) Service plan, service report, capacity plan.

The above is my summary and explanation of "What are the important factors in establishing the ISO27001 system and the ISO27000 system?" I hope it can be helpful to everyone.