Information Security


International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization. In the field of information technology, ISO and IEC have established a joint technical commission, ISO/IEC, to preserve the confidentiality, integrity and availability of the information.

ISO standards in action

The International Standard is designed for Organizations to customize as a reference in selecting controls within the process of implementing Information Security Management System (ISMS) and acts as a guidance document for organizations to execute commonly accepted information security controls.

Information Security

Image Source

For businesses, International Standards envisage that the standards are the strategic tools in reducing costs by minimizing inaccuracies and increasing productivity.

Information security requirements

The process of creation and origination through storage, processing, use, transformation until destruction is known as information Life Cycle. Information security remains crucial at all the stages of the life cycle as the unauthorized disclosure or theft of information may impact the core business.

The three main components of Information security requirements are Confidentiality, Integrity, and Availability.

Information Security

Image Source

Confidentiality is the set of guidelines that confines access to information (piracy)

Integrity is assurance that the information is reliable and precise

Availability is a guarantee of consistent access to the information to the authorized stakeholders

Controls selection and implementation

The controls are the guiding principles for Information security management, and their selection is dependent on organizational decisions, based on risk acceptance, risk treatment options, and generic risk management approach pertinent to the organization.

Information Security

Image Source

Information security management system process and Audit cycle 

Audit Cycle

Gap Analysis and Risk Management Analysis are crucial in the ISMS process.

Gap analysis

Gap analysis is obligatory for an organization as it provides a comparison of your security program to the overall security best practices to find out where the vulnerabilities and risks are lurking. This analysis is mandatory in ISO27001 while developing Statement of Applicability (SOA), and is performed subsequent to the risk assessment implementation and risk treatment plan.

Gap Analysis

Image Source

Risk management methodology and framework in ISMS

Risk management is a fundamental part of a company’s management process that deals with the identification, communication, treatment, and acceptance of security risks.

Risk Analysis

Image Source

ISMS provides a framework to simplify the process of risk assessment and treatment. The Threat & Risk Assessment (TRA) and Risk Treatment are two important components of the ISMS framework.

TRA – Identification, analysis, and evaluation of risks together comprise the TRA

Risk Treatment – Development of a risk treatment plan to address the risk exposure to the assets that are identified in the threat and risk assessment process

Risk treatment

Image Source

Evaluating risk

Risk exposure values in terms of likelihood of occurrence and level of impact can be determined using the below risk matrix table.

Matrix Table

Risk treatment plan and Mitigation analysis

The Risk treatment includes:

a)      Accept  – do nothing and accept the current level of evaluated risk

b)      Avoid – cease doing the business activity that brings the possibility of the threat occurrence

c)       Transfer – pass the responsibility for implementing mitigating controls to another entity.  Responsibility for threat and risk management remains the liability of the organization

d)      Reduce – implement controls to reduce risk to an acceptable level

Mitigation is elimination or reduction of exposure to risk.


Business Continuity Plan (BCP)

Business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to the company. BCP plan will include any incident that could negatively impact operations damaging critical infrastructure services. Risk Management is incorporated as part of Business Continuity Plan.


Image Source

Disaster Recovery

Disaster recovery planning begins with a Business Impact Analysis (BAT).

BAT works on two key metrics

  • Recovery Time Objective (RTO)
  • Recovery Point Objective (RPO)


Image Source

Recovery Time Objective (RTO), which is the maximum acceptable length of time, a business process can be restored after a disaster.

Recovery Point Objective (RPO), which is the maximum targeted period in which data might be lost from an IT service due to a major incident.

Please click here, to know more about Disaster Recovery.


Information Security is the practice of defending information from unauthorized access, disclosure, disruption, modification, recording or destruction.

ISO27001:2013 certification analyzes information security as a blueprint for Information security requirements, Control selection and implementation, Audit cycle, Risk Management, Business Continuity Plan and Disaster Recovery.


About Ciby Baby Punnamparambil

Ciby is a Solution Architect at Vmoksha with over 12 years of experience in the IT industry. He has in-depth knowledge and industry experience in delivering IoT embedded and Mobility solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>