This short blog explains what you need to know about ISO 27001...
The International Organisation of Standardisation publishes these standards, which are internationally recognised having been agreed by experts in the relevant field. They are considered the best practice and the best way of doing something. There are, in excess of 23,000 ISO standards covering a range of functions. Some of the more popular standards can be applied to most organisations, and include:
• Health & safety – to reduce accidents in the workplace.
• Quality management – to help work more efficiently and reduce the likelihood of defects.
• IT security – to ensure the security of information and data assets.
The keeping of information assets secure is standardised by the 27000 family of ISO standards. Using these standards assists organisations of any kind or size to manage the security of their assets such as employee records, financial data, or intellectual property.
This standard lays out the requirements for creating, implementing maintaining and continually improving an information security management system (ISMS) applicable to the company or organisation. It also provides the requirements for the assessment and handling of risks to information security. ISO standards are designed to be generic and are intended to be applicable to all organisations, regardless of size or sector.
While many businesses already have several security controls in place for the use and storage of information, they can become disorganised without an ISMS in place to manage them. The 27001 standard requires:
• Systematic examination of the information security risks, taking account of the threats, vulnerabilities, and impacts.
• Implementation of a comprehensive set of controls to address the risks identified.
• An overall management process to ensure the ongoing suitability of the information security controls.
This standard is not designed to only cover information stored electronically, but also physical records and archives. A business can determine the scope of the Information Security Management System, implementing it across the entire organisation or an individual business unit or location. If this is applied to a single unit or location, this means that the remainder of the organisation may not have adequate controls in place for information security.
Companies may choose to have their ISMS certified as compliant with the standard. This would require external audits of the system and relevant controls. The external audit process generally consists of 3 stages:
• An initial, informal review of the ISMS. Checking for the existence and completeness of required documentation.
• A detailed and formal compliance audit, requiring evidence to confirm the system is relevant and properly implemented.
• Follow-up reviews/audits to confirm the organisation remains compliant with the standard.
There are many benefits to achieving certification in any of the ISO standards, some are specific to the standard in question, while others are applicable to numerous standards. Some of the benefits that can be achieved with certified compliance in 27001-2013 are:
• Winning new business and retaining customers – many companies now require organisations they conduct business with to be certified to ISO standards in one or more relevant fields. In this instance, it would prove the ability to safeguard business-sensitive information.
• Prevention of fines and impact on reputation – the ICO (Information Commissioner’s Office) can issue fines of up to 4% of a company’s annual turnover for any offences under GDPR (General Data Protection Regulation).
• Improving processes and efficiency – the processes required by 27001-2013 improve documentation and results in all staff having a clearer understanding of the guidelines to follow. This, in turn, helps the company to remain secure and free from attack.
Should your organisation have a desire to attain ISO/IEC 27001-2013 accreditation please speak with Pro-Networks, we would be delighted to help you on this journey.