Marlon Ortiz

Introduction ISO 27000:2018

As our business operations are more and more reliant on information systems, our proprietary information becomes a valuable asset. These assets are the primary target for unauthorized personnel to try to gain access with the nefarious goal of either stealing or destroying it. In order to protect these assets more effectively, several organizations are implementing Information Security Management Systems (ISMS). These systems follow established best practices and frameworks that ensure the confidentiality, integrity and availability of the information is maintained throughout the normal business operations.

Press play to listen to the audio version of this article

Introduction ISO 27000:2018 by Marlon Ortiz

The ISO/IEC 27000:2018 is a series of documents (more than 30 published and/or planned) that provide standards. They were developed by the Joint Technical Committee of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and these documents specify the complete implementation of ISMS. With this documentation, any organization can create a framework of best practices for managing the information security of their organization. Figure 1 provides a brief overview of these standards:

Some important takeaways to be remembered:

  • As the first standard of the ISO-27000 series, the ISO-27001 covers the standards for an ISMS and is defined as “providing the requirements for establishing, implementing, maintaining and continuously improving an ISMS.” The first takeaway is that this implementation needs to be dynamic, learning and improving as the needs of the organization and processes changes.
  • The intent of ISO 27002 standard is to assist organizations to improve organizational information security management. Specifically, the standard is to be leveraged as a guide for the development of security standards within the organization and to establish effective security management practices. The second takeaway is that this standard is a security management framework. The key word here is “management” and is therefore not a technical hands-on manual on how to set up security appliances orconfigure security applications.
  • The ISO 27004 standard is designed to help an organization measure, report and hence systematically improve the effectiveness of their ISMS. It covers how to grade the ISMS and what needs to be done to make it better, which is the third takeaway. If you have read my previous articles, then you know I believe that in order to achievecontinuous improvement, you need to have meaningful metrics. “If you can’t measure it, you can’t improve it.” – Lord Kelvin (1824-1907)

Figure 1: ISO Documents

In conclusion, there is no need to re-invent the wheel in setting an ISMS. Sharper minds have done the heavy lifting for us. The ISO 27000 series provides us with a framework that should help guide our organizations to sort out our security requirements and risk appetite and develop a security plan that best suits our needs.

Marlon Ortiz, Information Technology Professional. Creative professional with 20+ years of information technology knowledge in the gaming and hospitality industry. Highly skilled in information security, project management and planning with a strong background in data management, security, analytics and technical strategy. A proven leader who understands that the value of IT lies in delivering solutions to complex business problems within the Gaming and Hospitality Industry. A leadership style that emphasizes the development of people, processes and tools to achieve specific strategic business goals. Focused on connecting IT to other departments within the corporation and delivering effective solutions for business costs and operations. An executive who excels in a fast-paced organization and is ready to take on the challenges that comes with that environment. Marlon possess a Master’s in Cybersecurity and Information Assurance from The Pennsylvania State University. Previously held high level IT Management positions at American Casino and Entertainment Properties, the Morongo Casino Resort & Spa, Harrah’s Entertainment and Aztar Corporation. Contact Marlon.