Q & A

What is ISO 27001:2013?

ISO/IEC 27001: 2013 is an International Standard which details the requirements for establishing, implementing and continually improving an information security management system. Its full name is Information technology-Security techniques-Information security management system-Requirements.

Describe its structure and content?

The standard consists of two components. The main component of the standard consists of 11 clauses. Clauses 0-3 provide you with an introduction to the standard, defines the scope of the standard, normative references and terms & definitions.

Clauses 4-10 set out the requirements for information security and address the following areas: Leadership, Planning, Support, Operation, Performance Evaluation and Improvement.

The second component of the standard, Annex A, Reference Control Objectives and Controls, provides a catalogue of 114 different controls grouped into sections. The sections cover the following areas: Information Security Policies, Organisation of Information Security, HR Security, Asset Management, Access Control, Cryptography, Physical & Environmental Security, Operations Security, Communications Security, System Acquisition, Development and Maintenance, Supplier Relations, Information Security Aspects of Business Continuity Management and Compliance.

Where can I get a copy of the Standard?

A copy of the Standard is available from: NSAI - NSAI | National Standards Authority of Ireland

It costs: €53.00

Click Here

How long does it take to implement the standard?

Depending on the size of the credit union and the resources available, it will take six to nine months to implement the standard.

What is the best way to implement the Standard?

If the credit union has sufficient resources and trained staff available, they could implement the standard, however, employing a certified implementer, backed up by an in-house project team is a more efficient way to ensure implementation of the Standard.

Do I need to be certified to the Standard?

There is no mandatory requirement to be certified, however, once the credit union has implemented the Standard, it’s only one step away from being certified.

What are the benefits of certification?

Among the many benefits of certification are:

Adherence to best practice on information security.
Provides the Credit Union with a framework that helps the credit union to comply with regulations regarding, data protection, privacy and IT governance.
Leads to a better organised business by defining roles and responsibilities, accountability, processes, etc. and thereby strengthening the internal organisation.
Creates a culture of continual improvement.

What has the Central Bank of Ireland and in particular, the Registry of Credit Unions, to say about information security standards?

Quote from Central Bank of Ireland Document ‘Cross Industry Guidance in Respect of Information Technology and Cybersecurity Risk’ referenced ISO 27001:2013 as a relevant best practice and internationally recognised framework. They also note that industry standards will inform the Central Bank of Ireland’s supervisory and inspection approach to IT and IT Risk Management.

Are there any other information security standards that the credit union should consider?

There are a number of standards which address information security. The main ones to consider, along with ISO 27001, as advocated by the Central Bank of Ireland, are NIST, ITIL and COBIT.