Part 12: Clauses 0, 0.1, 0.2, 1, 2 and 3 Introduction, Scope, References, Terms and Definitons
As I wrote in the sister compendium to this blog (The Ultimate Guide to Achieving ISO 9001:2015 Certification), ignoring these introduction clauses is like ignoring the first third of a movie. It’s “…where the fundamentals of the story are laid out, where all the characters are introduced, and where all the groundwork is laid”.
You need to read these clauses carefully and understand them.
Clause 0.1 General
The main points of this clause are:
- The standard gives you the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Follow those requirements and you give confidence to interested parties (i.e. customers) that you are managing your information security risks.
- Adoption of these requirements needs to be a strategic decision. Strategic decisions come from top management or from Boards of Directors. Make sure your Board has agreed to meeting ISO 27001.
- The ISMS will help preserve the confidentiality, integrity and availability of information.
- You need to use risk management processes in your ISMS.
- You need to integrate your ISMS with the rest of your organisation’s processes and overall management structure. It is not to be “silo-ed”, kept separate or used just by the IT Department.
- The standard can be used as an audit tool by interested parties. Here at Mango we have lots customers - and potential customers - who use this standard to assess our information security processes.
- You also need to read and understand ISO 27000:2016. The ISO 27000 standard gives you the overview, the principles and the vocabulary so that you can understand ISO 27001:2013.
0.2 Compatibility with other management system standards
The structure of the ISO 27001:2013 standard is based on the Annex SL framework. This allows for identical sub-clause titles, identical text, common terms, and core definitions with other standards like ISO 9001, ISO 14001, ISO 22301, ISO 45001 and all other new management system standards from ISO.
Therefore, you can integrate easily with these other standards.
Your aim should be to operate a single management system, and thus reduce duplication, bureaucracy and wasted time.
1 Scope
The requirements specified in the ISO 27001 standard are to be within the context of your organisation. Therefore, determining your organisational context is very important. This is so you don’t overdo your system and start trying to meet something you don’t need to achieve.
The clause repeats that you need to use risk management processes for you ISMS.
The standard also fits all size organisations.
Finally, there are no exclusions allowed in this standard.
2 Normative references
This clause means that ISO 27000 is indispensable to the application of ISO 27001. Therefore, you must get your hands on ISO 27000, read it, understand it and use it freely in your ISMS.
3 Terms and Conditions
This is another reason to understand ISO 27000. All the terms and definitions that are given in ISO 27000 apply to ISO 27001.
Takeaway
- Read these introduction clauses carefully and give yourself a good understanding.
- Get your Board to make certification to ISO 27001 a strategic decision.
- Committ to using risk management throughout your ISMS.
- Look to integrate your ISMS with your other management system standards.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values