ISO27001 (or to give its proper name, ISO/IEC 27001) is the international standard for Information Security Management Systems, or ISMSs.
Since its launch in 2005, becoming certified to the ISO27001 standard has become more popular every year, as concerns and publicity about cyber security breaches have increased. In fact, the 2017 ISO survey recorded a 19% increase in certifications.
ISO27001 is part of the ISO27000 family of standards which also includes a significant number of supporting guidance documents such as ISO27002 and ISO27005. But if you want your organization to become certified, it’s ISO27001 specifically that holds the requirements you have to meet.
The main benefits from a practical point of view are twofold; first, implementing an ISMS according to the ISO27001 standard improves your information security and makes it less likely that you will suffer a breach or other type of unwanted incident. Secondly, becoming certified proves to interested parties, such as customers, employees, shareholders and suppliers that the organization is committed to keeping their data secure; this can be a significant marketing advantage where trust and risk is an issue.
Although it’s often perceived to be a technical, IT-centred standard, ISO27001 actually covers the whole organization and is concerned with the protection of information in all its forms. So, at CertiKit, we see all kinds of organizations, large and small and in most industries, implementing it. However, the largest single group is generally technology companies, such as cloud service providers that want to prove to their customers that their data is safe with them.
An ISMS is a set of processes that together help an organization to manage their information security by assessing their risks and taking action to reduce them. The management system is simply a set of things you must do to keep on top of your information security, and the main components are:
Add in some communication and continual improvement, and you have a viable and compliant ISMS.
The ISO27001 standard can be considered to consist of two main parts:
Although the initial emphasis is often on the controls (such as anti-virus, vulnerability scanning and access control), the management system part of the standard is just as important and, in many cases, can pose more problems when implementing the ISO27001 standard. ISO has deliberately made the wording of the management system the same in ISO27001 as in other standards, such as ISO9001 and ISO14001, so it’s easier to become certified to more than one standard (this layout is often referred to by the rather confusing name “Annex SL”).
The other part of ISO27001 involves the 114 reference controls contained in Annex A. This is a set of good-practice ideas that you can use to make your organization more secure, and they’re organised into 14 areas such as information security policies, human resource security, access control and incident management, to name but a few.
Some of these controls may not be relevant to you, in which case you can say so, in a required document called the Statement of Applicability. But in most cases the number of inapplicable controls is few, and there’s no alternative but to work your way through implementing them as best you can.
It is important to note, there’s no obligation to go for certification to ISO27001 and many organizations choose to simply use the standard as a set of good-practice principles to guide them along the way to running their business. However, many become certified to prove their compliance internally and externally.
When you have your ISMS in place, and you’re well under way with the Annex A controls, it’s time to book a stage one review with a Registered Certification Body (RCB), also known as an external auditor. This is simply a company that is accredited to carry out audits to the ISO27001 standard and issue certificates.
Stage one is basically a review of how ready you are for the main event, the stage two certification audit. You may pick up a few pointers for improvement (known as nonconformities) at Stage Two but, if these aren’t too serious, your organization effectively becomes certified and can advertise the fact to anyone with an interest.
But don’t forget the auditor will be coming back every year from now on to reissue certification, so it’s important to keep things running smoothly and continuously.
ISO27001 is considered to be one of the best ways to become, and stay, more secure in this interconnected world in which we live. It’s not a guarantee that nothing bad will happen, but it goes a long way to making it much less likely. Our ISO27001 toolkit will guide you through to process to certification simply and effectively. You can find out more information about embedding an ISMS into your business by downloading a free sample document.