IIn the businesses of cybersecurity, IT development, and managed information services, security is paramount. Today, any business that works with information can be a target for cyber attackers. While most companies don’t think it’ll happen to them, it’s always best to adopt a “when, not if” mentality to cybersecurity and information security integrity. One such way is the implementation of ISO 27001.
Specifically known as ISO/IEC 27001:2013, this management standard has been designed for the certification of organizations’ information security. It details requirements for establishing, implementing, maintaining, and continually improving a company’s ISMS (Information Security Management System). It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The aim is to facilitate a process in which organizations of any size can make the information assets they hold more secure. To be certified organizations need to meet the Standard’s requirements and have an audit performed by an accredited ISO 27001 certification body.
The Standard is known for providing companies with the necessary tools to protect their most valuable assets. ISO 27001 Certification proves to customers and partners worldwide that a company takes the protection of data very seriously. This Certification Standard aids in compliance with legal requirements gives a competitive advantage over competitors, keeps procedures organized, and mitigates costs from potential security breaches.
Committing to adherence to the rules and regulations of ISO 27001 takes time and effort but is 100% worth the investment!
Specifically, the fundamental goals of ISO 27001 are to protect three aspects of information:
A company needs to conduct risk assessments to find out what potential security problems could happen to data and then define what safeguards need to be put in place via the implementation of security controls and procedures to keep their data safe.
There’s no doubt that most organizations have a robust Information Security Management System in place already, but is it ISO-compliant? Probably Not. An ISMS that complies with ISO 27001 stipulates a set of rules that a company needs to establish in order to:
These rules can come in the form of policies, procedures, or any other types of documentation, or can be in the form of processes and technologies that are established that may not necessarily be written down. When aiming for an ISO certification, however, there are certain documents and controls that are required at a minimum.
Having an ISMS that adheres to all the criteria and controls can do more for a business than just comply with the law and win new business. It can also:
By complying with the different controls and clauses in Annex A of ISO 27001 (a key component of an ISO audit), a company’s ISMS helps to protect all forms of its information, whether it’s digital, paper-based, or in the cloud. There are 114 different controls organized within 14 sections to serve as a checklist of sorts for ensuring ISO compliance and ensuring the integrity of information.
By putting a robust and comprehensive ISMS into place and keeping it updated and maintained will significantly increase resilience to cyber attacks. This could be via cryptography controls, operations security, or via physical security and access controls.
A key theme within the domains listed in the ISO Annex A is defining the organization and basic framework for implementation and operation of information security. There are key documents, such as an Information Security Policy and a Risk Treatment Plan, that outline who is responsible for what, where things are stored, and how / who should have access. These key documents help to reduce complexity, keep information safe, and enable easy management all from one place. This also ties back into the key aspect of ISO-compliant ISMS: Availability.
There’s no sense in establishing an ISMS if it stays static and doesn’t evolve in tandem with new security threats. There will be ongoing changes and emerging threats within the environment and a company and its ISMS must be able to reduce the threat of continually evolving risks.
This includes mandatory training and awareness programs, keeping software updated, having a solid end-to-end encryption solution, keeping an eye on mobile device management, and also being cognizant that there are plenty of zero-day exploits to be discovered and clever hackers working on new methods of cybercrimes. They’re always working! As should a company’s IT team! An ISO 27001 certification builds the right foundation and ongoing awareness to keep an organization safe.
Generally, information security is usually considered to be a cost with no obvious and immediate financial benefit. Since there is no methodology/technology to calculate how much money a company can save by preventing a security incident, they are banking on hopefully avoiding an expensive breach that may or may not happen at an indeterminate time. But breaches do happen, as do data leaks, disgruntled employees, or even former employees. It’s then that the management team will be grateful for the investment into ISO accreditation.
A key part of ISMS that feeds into an ISO 27001 audit and certification is determining the Risk Assessment Methodology, then implementing Risk Assessments and treatments. By generating these tools early and conducting a thorough analysis, organizations can reduce costs that they could have otherwise spent indiscriminately adding on layers of defensive technologies that might not necessarily be needed or wise.
This benefit is a given. A company’s ISMS offers a set of policies, procedures, technical controls, and physical measures to ensure the protection, the confidentiality, availability, and the integrity of their information. That’s why, instead of an ISO 27001 Certification consisting of a set of steps to follow and checkmarks to collect, it’s a long and somewhat demanding process that requires an audit at the end. This third-party certification ensures that nothing is missed, no crucial steps have been skipped, and that the watertight certification with existing and new customers is guaranteed.
The dedication to this certification speaks volumes about an organization’s commitment to information security.
A company is only as good as its employees. An ISMS should have a holistic view of the whole organization, not just the IT department. When undertaking certification, you need to decide what the scope of the ISO project will be. It may be easier and less risky to isolate this certification to one area, and not worry about the rest, but that will severely hamper the flow of information between departments. Rolling out ISO 27001 credentials across the company as a whole enables employees to readily understand the risks and embrace the security controls as a part of their everyday working practices.
An ISO 27001 Certification audit preparation consists of 16 steps:
1) Obtain the Support of Management
2) Treat it as a Project
3) Define the Scope
4) Establish an Information Security Policy
5) Define Risk Assessment Methodology
6) Perform Risk Assessment and Risk Treatment
7) Write the Statement of Applicability
8) Write the Risk Treatment Plan
9) Define How to Measure the Effectiveness of Chosen Controls
10) Implement Controls and Mandatory Procedures
11) Implement Training and Awareness Programs
12) Put ISO Compliant ISMS into Play
13) Monitor the ISMS
14) Conduct an Internal Audit
15) Conduct a Management Review
16) Corrective And Preventative Actions