What is ISO 27001?
ISO 27001 is the global benchmark for Information Security Management Systems (ISMS). Developed through a joint partnership between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 encompasses 114 security security control methods that address people, policies and technology. The ISO 27001 provides a framework for organisations to implement a best practice approach to their information security.
What is an Information Security Management System?
An Information Security Management System (ISMS) is a holistic approach to information security. An ISO 27001 ISMS outlines the controls, policies and procedures an organisation needs to implement to ensure the confidentiality, integrity and availability (CIA) of information assets. In order to maintain efficient and successful asset security, an ISMS should be supported by regular security risk assessments.
The Benefits of ISO 27001
ISO 27001 is fast becoming one of the most popular information security standards worldwide. More and more businesses are realising the benefits an ISO 27001 accreditation can have, with the number of certifications rising more than 450% over the last decade.
Secure Exchange of Information
The ISO 27001 standard helps to protect all your private information, whether it be digital, hard copy or stored in the cloud. By identifying the risks your information security may face and devising a risk management plan, your organisation can be sure that you’re prepared for any threat that arises.
Competitive Advantage and Reputation
An ISO 27001 certification will give your organisation a competitive business advantage as it demonstrates that you have done the most to protect both your own information, and any information shared with your company. This will help strengthen the trust your partners and clients have in your ability to safeguard their assets, and distinguish you from competitors who do not have an ISO 27001 certificate.
Reduce Information Security Costs
Having an ISO 27001 accreditation reduces your information security costs in a variety of ways. Firstly, as the gold standard for ISMS, the ISO 27001 minimises the risk of potential data breaches that lead to devastating financial losses. In addition, possessing an ISO 27001 certificate also indicates that your information security is highly effective. This results in less of a need for repeated customer audits and reduces the work of external audits. Lastly, the ISO 27001 standard requires a comprehensive analysis, which helps you make the most of your budget by only implementing the necessary security controls.
Meets All Legal and Third-Party Obligations
ISO 27001 is designed to make sure your information security is in line with all relevant laws and regulatory requirements. Furthermore, it may be the case that your company is contractually obliged by clients, or other third parties, to demonstrate a certain level of information security. In these instances, an ISO 27001 certificate would confirm that your ISMS is of the highest standard.
Improve Security Structure and Focus
The ISO 27001 standard is a great way to add structure and focus to your organisation as it creates awareness amongst your employees and shares the responsibility of information security. An ISMS encompasses people as part of information risk, which aids in developing a better understanding of security risks amongst employees. This results in better training and healthier working practices.
An Independent Opinion on Security Posture
To keep up to date with the ISO 27001 standard, your ISMS must undergo regular reviews and internal audits. An accredited third-party will also have to conduct an external review at specific intervals to establish that all controls are properly functioning. This independent assessment can help your organisation better understand the strengths and weaknesses of your information security, by providing an impartial, expert opinion on the matter.
What are the ISO 27001 requirements?
ISO 27001 provides organisations with 10 clauses that serve as the ISMS requirements. They are summarised below.
1-3 Terms and Definitions
This section provides background information on the terms, definitions and normative references that need to be understood when establishing the ISO 27001 standard.
4- Context of Organisation
In order to successfully build an ISMS, you first need the understand the context of your organisation. Start by investigating your business environment as this will help you identify all the factors that may impact how effective your ISMS will be at achieving its goals. This includes examining which assets you want to protect, all internal and external issues, as well as any interested parties and the expectations they may have. Analysis of this level will also determine the ISMS scope, and how extensively it needs to be applied throughout the organisation.
5- Leadership and Commitment
Strong leadership and ongoing commitment is paramount to the successful application of ISO 27001. A top-tier management system needs a top-tier manager, after all. This clause outlines the various responsibilities required of those in leadership positions, such as: establishing an ISMS policy and objectives that align with the overall business strategy, allocating all necessary tasks/resources, and maintaining clear communication throughout the implementation process. The ISO 27001 requirements state that all roles and duties be assigned.
This clause of ISO 27001 reinforces the necessity of planning and preparation when initialising an ISMS environment. Specifically, it addresses the need for a risk management process that identifies all risks and opportunities. The information gathered during clause 4 will provide the basis of your security risk assessment. Furthermore, the planning clause also outlines the importance of setting security goals that align with the company’s overall objectives. These goals should also be accompanied by a plan to achieve them, and communicated throughout all personnel.
The ongoing success of an ISMS is reliant on adequate and continual support. This includes sufficient resources, competent employees, clear communication and thorough documentation of information. ISO 27001 defines resources as any people, time, budget, information and infrastructure needed to implement the ISMS. An employees competency relates to their ability to capably perform their duties in regard to the ISMS. While good communication can sometimes be hard to quantify, in this scenario it is determined by the availability of information to the people who need it, in a timely manner. This may include the facilitation of information access to a range of necessary parties, both internal and external. Lastly, documentation needs to be an ongoing and comprehensive process, with information being continually created, controlled and updated.
By the time your organisation has reached this clause you will have already defined the context of your organisation and scope of the ISMS, identified all risks and opportunities, and planned how best to achieve ISMS goals. Now it’s time to use this information to use and implement the processes and controls. These processes need to be monitored to ensure they are meeting the ISMS requirements, or in case they need to be adjusted to compensate for any unexpected changes.
9- Performance Evaluation
The ISO 27001 standard sets an expectation that the ISMS is subject to constant analysis and evaluation. Management should constantly review the ISMS to confirm that all processes meet with the predefined outcomes and align with the overall direction of the organisation. Furthermore, ISO 27001 expects that the performance and effectiveness of the ISMS processes be determined by an internal audit program.
Evaluation is followed by improvement. All nonconformities (and their causes) need to be eliminated. While the context of the organisation and scope of the ISMS may be subject to constant change, a persistent improvement process will guarantee that your ISMS will continue to run smoothly.
Annex A lists the 114 security controls that organisations need to implement to meet ISO 27001 guidelines. They are divided across 14 security domains.
How Do You Get ISO 27001 Certified?
A company can receive an official ISO 27001 certificate by undergoing a formal assessment by an accredited certification body. The accredited body will perform an audit to determine whether your organisation’s ISMS is fully compliant with the ISO 27001 standard. This audit will verify whether the ISMS meets the requirements of the proposed scope and objectives set forth by your organisation. In addition, it will also confirm whether there are any nonconformities or lapses in the ISMS processes. In the event of a successful audit, an ISO 27001 certificate will be issued. These audits will typically be conducted on an annual basis to ensure that the ISMS remains up to the ISO 27001 standard and continues to operate as normal.