ISO27001 is basically 'systematic common sense' in its approach to managing information security. The standard provides a systematic approach, which can fit in the organisation's normal processes and thus will not necessarily become the insurmountable burden that many consider it to be.
To facilitate the implementation of ISO27001 and to create an understanding of what is necessary to do to ensure professional management control of information security according to the standard, the Agency for Digitisation has published "Guide to the implementation of ISO27001". The guide describes a simplified model for the implementation of ISO27001 and concentrates particularly on ten key points from the standard, among other things criteria for management commitment and involvement in the management of information security.
New monitoring concept
In September, the Agency for Digitisation published a new monitoring concept that will support and strengthen Danish ministries' work with information security and implementation of ISO27001.
The overall purpose of monitoring information security is to inspect and assess the management of information security in the broad sense in relation to the institution's organisational size, the nature of operations, and the strategic, political and economic importance.
How is monitoring done?
Monitoring will be based on a dialogue between the supervisor and the institution, for instance by replying to a questionnaire about the organisation's various commitments, such as documentation of the organisational management of information security, internal policies and guidelines, and other requirements of ISO27001.
The next step will be a supervisory meeting where the monitoring body can request more detailed information and ask about any ambiguities. The supervisory meeting can be used as an opportunity to review the information security and discuss where to take specific action how to introduce improvement measures. The objective is to make the monitoring and supervision more proactive as opposed to, for example, audits which many regard as a purely backward-looking process.
The proces finishes with a reporting to management who thereby get the necessary insight into the current state of information security.
Professionalisation and strengthened IT supervision
The supervision concept was developed in collaboration with a reference group consisting of a number of central government partners and observers. The overall monitoring concept includes an overall binding guide, and a supporting guide which is not binding.
The concept replaces the guide on IT supervision which was published by the National IT & Telecom Agency in 2005.