ISO 27001, is an information security standard created by the International Organization for Standardization (ISO), which provides a framework and guidelines for establishing, implementing and managing an information security management system (ISMS)
14 Domains:
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
ISO 27017 provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002:2022 and other ISO27 standards.
Highlights of the ISO 27017 control list:
- Shared roles and responsibilities within a cloud computing environment
- Removal of cloud service customer assets
- Segregation in virtual computing environments
- Virtual machine hardening
- Administrator’s operational security
- Monitoring of cloud services
- Alignment of security management for virtual and physical networks
ISO/IEC 27018:2019 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Additional requirements on 15 controls:
- Domain 5: Information Security Policies
- Domain 6: Information Security Organization
- Domain 7: Human Resources Security
- Domain 9: Access Control
- Domain 10: Cryptography
- Domain 11: Physical and environmental safety
- Domain 12: Operations security
- Domain 13: Communications security
- Domain 16: Incident Management
- Domain 18: Compliance
ISO/IEC 42001:2021 is a vital standard designed to address the security concerns surrounding Artificial Intelligence (AI) systems. It offers a structured approach to managing AI-related risks and ensuring the security and reliability of AI technologies. ISO/IEC 42001 builds upon established information security principles, providing guidance on implementing controls specific to AI security.
Within ISO/IEC 42001, there are additional requirements focusing on 15 key controls across various domains:
- Domain 5: AI Security Policies
- Domain 6: AI Security Organization
- Domain 7: Human Resources for AI Security
- Domain 9: AI Access Control
- Domain 10: AI Cryptography (e.g., encryption for AI data)
- Domain 11: Physical and Environmental Safety in AI Systems
- Domain 12: AI Operations Security
- Domain 13: AI Communications Security
- Domain 16: AI Incident Management
- Domain 18: AI Compliance
ISO Internal Audits play a crucial role in ensuring the effectiveness and compliance of an organization’s management systems. They provide a systematic and objective assessment of processes, procedures, and controls, helping organizations identify areas for improvement and adherence to ISO standards.
With a focus on enhancing organizational performance and mitigating risks, ISO Internal Audits cover various key aspects:
- Reviewing Management Policies: Assessing the effectiveness of management policies and their alignment with ISO standards to ensure clarity and consistency in organizational objectives.
- Evaluating Process Efficiency: Examining the efficiency and effectiveness of operational processes and procedures to identify opportunities for optimization and streamlining.
- Verifying Compliance: Ensuring adherence to regulatory requirements and ISO standards, safeguarding against potential non-compliance risks and penalties.
- Assessing Risk Management: Evaluating the organization’s risk management practices to identify and mitigate potential threats to business operations and continuity.
- Monitoring Performance Metrics: Analyzing performance metrics and key performance indicators (KPIs) to gauge the effectiveness of implemented processes and drive continuous improvement initiatives.
- Promoting Best Practices: Identifying and promoting best practices within the organization to foster a culture of excellence and innovation.
By conducting ISO Internal Audits, organizations can proactively address deficiencies, enhance operational efficiency, and maintain compliance with ISO standards, ultimately driving sustainable growth and success.