Are you considering ISO certification but are trying to weigh up the time, resource and cost required against the potential benefits? This blog explains what it is and why it may benefit your business.
What is ISO 27001?
ISO 27001 is the international standard for an information security management system (ISMS). The current version is ISO 27001: 2013.
The standard is concerned about the management of information security and follows the Deming cycle phases of ‘Plan-Do-Check-Act’ to achieve continuous security management improvement.
ISO 27001 is not an IT security standard. It is risk led and looks at information security risks across the business, including those falling outside of IT such as physical security risks, HR security risks and supplier security risks.
The standard lets organisations determine their own risk acceptance criteria and their approach to managing risks. Whereas one business might consider a risk unacceptable unless treated and reduced using controls, another business may consider the same risk acceptable.
ISO 27001 is supported by a family of information security guidance and associated documents. The family includes:
- ISO 27000: Definitions
- ISO 27001: Standard for an Information Security Management System
- ISO 27002: Techniques – Information Security Controls
- ISO 27005: Techniques – Information Security Risk Management
- ISO 27017: Techniques – Information Security Controls for Cloud Services
- ISO 27018: Techniques – Protection of PII in Public Clouds
ISO 27001 is the standard against which organisations are audited and, if successful, certified. The supporting documents provide guidance on implementing the standard but are not mandatory. The additional controls for cloud environments in ISO 27017 and ISO 27018 are becoming increasingly common among SaaS and IaaS providers.
Assuming you successfully pass your Stage 1 and stage 2 audits, you will be certified for 3 years, subject to annual surveillance audits.
What are the benefits of ISO 27001?
A certified ISMS indicates you take the management of security seriously (within the scope of certification) and are happy to have your security management system independently assessed. The business benefits of ISO 27001 certification and numerous, and include:
An effective ISMS will help improve your ability to withstand and respond to cyber attacks and information security breaches. Roles and responsibilities will be defined, senior management engaged, incident response plans tested and business continuity procedures in place. Your employees will be trained and better prepared for dealing with risks.
ISO 27001 certification has gone from being niche to common place. Organisations know their supply chain can be a weak link. Likewise, data controllers are looking to work with processors with security best practice in place. A certified ISMS can help your business stand out from competitors and may even be obligatory when bidding for new business.
ISO 27001 certification won’t make you compliant with GDPR or NIS, but the disciplines embedded by a certified ISMS will certainly help you meet key obligations under both. These include leadership commitment and engagement, risk led decision making, implementing organisational and technical controls and continuous evaluation and improvement.
Likewise, another benefit of ISO 27001 is that it will help you meet information security contractual obligations. Sometimes these may require you to become certified within an agreed period of time. We also regularly see contracts that list minimum security controls which are aligned to ISO 27001. Certification will clearly help you satisfy such obligations.
Continuous Security Improvement
Information security management isn’t a ‘set and forget’ topic. Threats evolve, new vulnerabilities arise constantly, and risk appetites change. For these reasons and more, it is essential to keep your security posture under continuous review and improvement.
An ISMS will help ensure continuous review and improvement of the way your business manages security, proportionate to the risks faced.
If you’re thinking of gaining ISO 27001 accreditation, evalian® (specialists in data security) can help with an initial workshop, carry out a full gap analysis, support your ISO 27001 project or manage your ISMS for you. You can find out more about their services here and or contact them on: firstname.lastname@example.org