ISO 27001 ISMS Principles and Objectives

Principles of the ISO 27001 ISMS

The nine principles of the ISO 27001 Information Security Management System (ISMS) complement one another and should be read as a whole. These principles apply to every user of the system, at both policy and operational levels. The responsibilities that users carry under these guiding principles vary by role. Through awareness, training, and information sharing, the principles support all users in adopting a stronger security approach and implementation. Work to raise the reliability of information systems and networks aligns with democratic values, particularly on personal privacy and the need for open and free access to information.

The principles of the ISO 27001 ISMS can be listed as follows:

Awareness

Users must be aware of the security needs of information systems and networks and of what they can do to raise security. From the perspective of information network and system security, awareness of risks and the available protections forms the first line of defence. Information networks and systems can be affected by both external and internal risks. Users must know that security gaps can cause significant damage to the networks and systems under their control, and should always remember that the interdependent nature of systems means harm can reach other users as well.

Users should be informed about their position within the network, good practices for updating and securing systems, and the requirements that affect other users.

Response

Users must work in partnership and act in a timely way to prevent, detect, and respond to security threats. Taking into account the interconnected nature of information networks and systems and the speed and reach of potential disruptions, users must work together and respond simultaneously to threats. They should share threat and vulnerability information with one another where possible, and put in place nimble, effective procedures to prevent, respond to, and detect threats. Where the necessary permissions exist, this partnership can include cross-border information sharing.

Responsibility

All users are responsible for the security of information networks and systems. Users connected to local information networks and systems must be aware of the responsibilities assigned to them on system security. They must act in line with the roles assigned to them. Users should review their policies, methods, applications, and protective procedures regularly and assess whether they remain appropriate. Providers, maintainers, and designers of products and services must pay attention to network and system security and supply the necessary information, including updates, so that end users understand the role of the products and services in security and their own responsibilities.

Risk Assessment

Users must carry out risk assessments. Risk assessments that describe threats and sensitivities must be broad enough to cover physical, technological, and human factors, political factors, and third-party services. Risk assessments set the acceptable level of risk and, in line with the importance and nature of the information to be protected, help select the controls needed to manage the potential threats to information networks and systems. As information systems become increasingly interdependent, risk assessments should also consider potential incidents experienced by, or affecting, other users.

Ethics

Users must respect each other's legitimate interests. Given how rapidly information networks and systems have spread across society, users must understand that their actions or inactions can cause harm to others. Ethical behaviour matters: users should adopt and improve good practices, encourage activities that take security requirements into account, and respect the interests of other parties.

Security Design and Implementation

Users must treat security as a central factor in information networks and systems. To secure the system, policies, networks, and systems must be applied, designed, and coordinated appropriately. A key part of this work is the adoption and design of suitable controls and solutions to prevent or minimise harm from identified threats and vulnerabilities. Both technical and non-technical protections and solutions are required, and these should be proportional to the importance of the information within the systems and networks. Security should be a baseline component of services, products, systems, and networks, and should be built into system design and architecture. For end users, security design generally means selecting and configuring appropriate products and services for their own networks.

Reassessment

Users must examine and reassess the security state of information networks and systems and adjust security policies, practices, and procedures accordingly. New and changing threats and vulnerabilities emerge continuously. To meet these changing threats, users must continuously review, reassess, and adjust all elements of security.

Democracy

Information network and system security must align with the core values of a democratic society. Security activities should be pursued in a manner consistent with values such as freedom of expression and thought, the reliability of information and communication, the free flow of information, the protection of personal information, openness, and transparency.

Security Management

Users must take a thorough approach to security management. Security management should be based on risk assessment and must be dynamic, covering all active levels and operations of users. It should include forward-looking analysis against new threats and focus on maintenance, system recovery, incident prevention, review, detection, and response.

Information system and network security practices, procedures, and measures must be coordinated and integrated so that they form a consistent security system. The requirements of security management depend on the user's role, level of participation, risk, and system requirements.