ISO/IEC 27001 is an international standard on how to manage information security. … It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure.
The standard is effective because it is succinct and clear. It is universally recognized around the world, and is registered with the American National Standards Institute (ANSI), which licenses it globally.
The standard is also flexible – it can be applied to any type of business, regardless of size or industry sector, and it applies to both central management departments and operational departments.
Achieving compliance requires a significant amount of effort on the part of anyone tasked with setting up an ISMS from the ground up, or streamlining an existing ISMS, and certification is highly recommended.
The ISMS certification audit process is performed by ISO/IEC 27001 accredited certification bodies. There are fewer than 100 such bodies in the UK and Ireland. Only those certification bodies who have been properly accredited by the British Standards Institution (BSI), the ANSI (U.S.A.), or the JAB (Netherlands) are allowed to administer the ISO/IEC 27001 certification audit process.
Why Should ISMS be Certifiable?
You may be thinking, ‘certifying a security management system, isn’t that a bit ‘Big Brother’?’ But ISMS certification doesn’t conform to some stereotypical view of a security officer being bullied by an intrusive control freak with an oversized flashlight under his arm.
In fact, the certified person operating the system is demonstrably in control of the system, and is giving a positive self-assessment of compliance with best security practices as required by the ISO/IEC 27001 standard.
One of the reasons for ISO/IEC 27001’s success is its focused nature. It mandates controls over security that are both innovative and effective. Certification to this standard has its place in the security community.
When you hear members of the security industry talking about ISO/IEC 27001, they’ll almost certainly be talking about ISMS certification. In our experience, ISO/IEC 27001 ISO27001 has developed a wholly unsentimental connotation of documentation, control, and management. The standard gives everyone on the senior management team an individualized list of distinct management tasks. Such compliance offers demonstrable improvement in security management.
At the beginning of a new business venture, an ISMS should be established because it establishes good practice across the organization. This good practice becomes more effective as both management attention and focused investment increase. All businesses will experience ups and downs, but the more effective the ISMS, the more resilient it will be.
Once established, certification makes the ISMS a visible commitment to security precautions. Having a known standard of good practice means that staff know what to do, and the business knows they are doing it. It’s also a formal way of communicating to the external environment that you’ve thought about security, and are taking steps to improve it.
Obviously, if a business deals with sensitive customer information or protected property, such as software under license, it needs formal assurance that the ISMS will deliver resilience.
Certification is a more straight-forward way of communicating security efforts than trying to document it all in a standalone manual. An ISO/IEC 27001 certified audit offers clear-cut evidence of purposeful implementation of information security management, as well as ongoing vigilance.
What is the Business Case for ISO/IEC 27001?
An ISO/IEC 27001 certified company has to follow 11 principles. These are actually quite simple and straightforward. For security managers implementing these principles to incorporate into information security management might well be an obvious choice.
There are three underlying reasons that inform ISO/IEC 27001’s status as the global benchmark for information security.
ISO/IEC 27001 was created, and continues to evolve, via input from the cybersecurity community—practitioners in national governments and private industry—all guided by the ISO and IEC standards bodies.
As a standard, it’s open, transparent, and very well documented. The international standard is almost 20 years old, yet the information it contains is still as relevant now as it was when it was first written. It’s easy to understand, and offers value to the security professional as a methodological ‘blueprint’ that can be used to improve security.
Every certification body offering certification to ISO/IEC 27001 uses the Exam Guidelines and Security controls as the basis for every ISMS evaluation.
Benefits to Certification
ISO/IEC 27001 is a flexible standard. This means it can be applied to all kinds of businesses. What this really comes down to emerges in the benefits that accrue to the business, aside from the obvious certification benefits. ISO/IEC 27001 is a robust process.
An ISO/IEC 27001 certified business or organization has the satisfaction of knowing that it has a comprehensive, rigorous management system in place that is continually being updated to meet changing information security standards and to handle changes in both internal and external communication needs.
It has the organized assurance that best practices are in place, strengthened and refined by an ongoing focus on the inherent problems with information security management and business continuity measures.
An ISO/IEC 27001 certified organization acknowledges and recognizes the value of the ISMS. It also reinforces the use of ISMS among management as a positive enforcement of security essential to the well-being of the business.
When an organization certifies today, it might not be delivering business continuity or protecting information nor providing it with the capabilities to do so should an emergency occur. It cannot prove the ISMS’ worth in a crisis. That isn’t to say that we are suggesting it won’t have the capability, it is just not ready for one today.
We don’t, however, know of any organization that has not experienced a threat to security or interruption to business because of the threat of an information security breach.