Information security incidents cause irreversible economic losses and image damage to businesses. In particular, new security threats through the Internet are steadily increasing and spreading, raising the need for systematic and comprehensive information protection management and authentication.
Many companies are spending huge amounts of capital to enhance information security. However, there is no way for customers to know how well information security works. In other words, it means that some standards that customers can trust are needed.
For this reason, information security authentication systems began to emerge. It is to ensure that the company is screening and certifying information protection by the state or a trusted institution.
Information Security Management System ISO 27001
Significance of ISO 27001 certification
International Organization for Standardization (ISO) provides a variety of certification services. Each certification service is classified by a specific number to that ISO attaches, such as ISO 9001 (Quality Management Systems) and ISO 37001 (Anti-bribery management systems).
ISO 27001 is an international standard for the The Institute for Standardization of Montenegro (ISME) certified by the International Organization for Standardization. In other words, it is an information protection certification system certified by internationally recognized institutions.
Actually, ISO 27001 is not mandatory for virtual asset operators.
There are various benefits to obtaining ISO 27001 certification
Despite not being compulsory, virtual asset operators seek it because it is an international standard information protection certification and is the most prestigious certification in the field of information protection. In other words, companies that have this certification will be recognized for having a much higher level of information protection than those that do not.
The certification correctly identifies organizational risks and ensures that it is well managed. At the same time, stability and reliability are high because it requires the organization of information protection processes and documents. In addition it is an international standard that has advantages when expanding into overseas markets.
Financial firms that are already extremely sensitive to information security have obtained the certification. Korea Investment & Securities, Shinhan Bank, Mirae Asset Life Insurance, Samsung Life Insurance, Citibank Korea, Busan Bank, and Lotte Card have obtained it. Coco Entertainment Korea, which is preparing for the virtual asset exchange, is also preparing to obtain it.
ISO 27001’s core is PDCA
ISO 27001 selected PDCA model to manage security risk. PDCA is a work cycle: Plan, Do, Check, Act.
PDCA is the core of ISO 27001 as a cyclical process that must be repeated to respond to rapidly changing IT environments and the resulting risks.
The Plan phase improves information security to meet the policies and objectives of the entire organization. Also, policies, objectives, and processes are established to manage the crisis.
PDCA is based on ISO 27001
In the Do phase, improvement plans are implemented. Starting with Small-Scale Study in controlled situations, it executes plans and implements and operates established processes.
In the Check stage, the execution results of the Do stage are analyzed to measure and evaluate improvements and performance.
In the Action phase, complementing the suitability of the entire cycle based on what was evaluated in the previous step is progressed. If there is a deficiency, a new plan will be established and the cycle will be turned again. Conversely, if it is satisfactory, range of cycle activities will be expanded to allow for further improvement.
ISO 27001 Certification Procedure
ISO 27001 Certification Procedure
The first preparation for ISO 27001 certification is planning the project. The project environment shall be established, the promotion organization shall be organized, and education shall be conducted on the persons in charge and key personnel. In addition, detailed plans for the project should be formulated.
After completing the project plan, analyzing current status and risk should be done. Security vulnerabilities and risks present in the organization should be assessed, analyzed, and risk-measured.
An appropriate control item for managing identified risks should be established and detailed implementation plans should be established from a physical, technical and management perspective.
Various logs arising from the application of the established security management system should be collected and organized, and the Service Oriented Architecture (SOA) should be prepared.
SOA is the most important part of the screening. The report should record how it has dealt with control items and evidence of that.
Once the report is ready, main examination will be started after preliminary examination.
In the certification review, document review is conducted on SO, information protection policies, and implementation records related to guidelines. On-site inspections will be conducted to review whether the results are implemented or not. Certificates will be issued if both are passed.
Even after issuing a certificate, it must be inspected periodically (on a six-month basis) and renewed through a renewal review after three years of certification.
ISO 27001 certification for greater trust
ISO 27001 is not mandatory as mentioned earlier. For companies, it is also difficult to step up to the plate because they have to invest money and time separately.
However, it would not be too much to say that it is essential for virtual asset operators whose priority is information protection, as it is the most ideal way to protect assets.