What is ISO 27001?
Digital technology in general and the internet in particular have generated incalculable volumes of data, transforming the way we manage and interact in business. A globally recognised system of regulation is essential to prevent this brave new world from turning into the wild west. The International Organisation for Standardisation (ISO) was founded in 1947 to develop and publish worldwide technical, industrial, and commercial standards and its work is just as important today. Its family of digital standards was first released in 2005 and periodic updates have kept them vital and relevant. ISO 27001 is a joint initiative shared with the International Electrotechnical Commission which gives it the benefit of specific digital expertise.
Its aim is to establish a framework of rigorous but realistic standards for the management of data and there is a strong emphasis on ISO 27001 risk assessment to ensure that businesses and other organisations understand and maintain their strengths while identifying and rectifying their weaknesses. The standard is respected all over the world as confirmation of alignment with information security best practice. An internal IT security department is not judged to be sufficient: an information security management system (ISMS) is crucial because it covers all security processes, end-to-end. Certification is a badge of trust and reliability which is why ISO 27001 compliance should be the goal of every business that has even a passing relationship with digital practices.
How Do You Qualify for Certification?
Obtaining certification is a challenging management project and requirements will differ from business to business. That’s because although ISO 27001 sets standards, it does not make the implementation of specific security controls mandatory. ISO acknowledges that every organisation is unique and accepts that in the development of an ISMS not all controls will be universally applicable. The emphasis is on businesses being able to demonstrate that their choices as to which controls to implement are based on a decision-making process that is consistent with the standard.
The two most important tasks are the scoping of your ISMS to define precisely what information requires protection and conducting risk assessment to identify potential threats. Other clauses in the standard make certain supplementary procedures mandatory: risk assessment reports, an information security policy, internal audits and reviews of management processes and corrective actions. Again, while these procedures are mandatory, the specific means of realising these objectives are not. Cyber-security is an issue of increasing importance and ISO 27001 should be seen as a partner rather than an obstacle. Our consultants have the knowledge and experience to guide you through the process and help you achieve that coveted status of certification.