What is ISO 27001? It is the internationally recognised standard for managing information security in an organisation. It is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
Why is it important?
Data protection has never been a more prominent part of business processes as it is now. With the EU General Data Protection Regulation (GDPR) and the sheer amount of data breaches that hit the news, it’s important that your company and its suppliers are prepared and has security systems and processes in place.
ISO 27001 is designed to help organisations monitor, review, maintain and improve their information security management systems. The standards help ensure that a business’ security risks are managed cost-effectively and send a valuable and important message to customers and business partners: this business does things the correct way.
What really goes into getting an ISO 27001 certification?
You might be aware that some of your software suppliers are ISO 27001 certified. But what does this really mean?
If an organisation is 27001 certified it mean that its management and staff is committed to not just maintaining, but also continuously improving the organisation’s security management and controls.
ISO 27001 uses a risk-based approach and is technology-neutral. It includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. However, it doesn’t outline specific controls to use – instead it outlines a checklist of recommendations.
To prepare for ISO 27001 certification a company has to complete the following six steps:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
ISO 27001 also requires the company to frequently assess its information security progress and performance. This is divided into 3 key actions:
Monitoring, measurement, analysis and evaluation
The organization shall evaluate the information security performance and the effectiveness of the information security management system.
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:
Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
An information security guarantee
Most organisations and businesses will have some form of controls in place to manage information security, but they are often implemented haphazardly: some are introduced to provide specific solutions for specific problems, whilst others are often introduced simply as a matter of convention. Ultimately, the ISO 27001 is designed as a guide and checklist to avoid organisations having any gaps in their security frameworks and controls. It is designed to make your life easier by avoiding security problems further down the line.