Information is the lifeblood of any business – this is especially true if your clients have entrusted their valuable data to you.
ISO 27001 is an information security standard, part of the ISO 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. The family of standards is vast (39 at time of writing), but, as with the other standards, our main focus is on the requirements of ISO 27001.
ISO grew out of the British Standard BS 7799 originally published in 1995, having been written by the old Department of Trade and Industry (DTI), and consisted of several parts.
The first part contained best practices for information security management, and the second part focused on how to implement an Information security management system (ISMS). Part 3 covered risk analysis and management.
Each part became adopted separately at different times by ISO (Part 1 in the year 2000, Parts 2 and 3 in 2005), but since the last review of the standard in 2013 very little reference or use is now made to any of the BS standards in connection with ISO 27001.
A quick note about one quirk with this standard - you may see reference to either ISO 27001:2013 or ISO 27001:2017 (note the change in year designation). The 2017 change was introduced to indicate approval by CEN/CENELEC for the EN designation (‘European Standard’), the background to which I’m not going to bore you with here. Needless to say, in practical terms, nothing has changed between the 2013 and 2017 versions of the ISO 27001 standard except for a few minor cosmetic points and a small name change. Either version of the standard is perfectly acceptable and certification can be against either one, it makes no difference.
Why get an Information Security Management System?
Information is the lifeblood of any business – this is especially true if your clients have entrusted their valuable data to you. Maintaining an Information Security Management System (ISMS) is the most effective way of reducing the risk of suffering a data breach.
An ISMS is a systematic approach to managing the security of sensitive information and is designed to identify, manage and reduce the range of threats to which your information is regularly subjected.
There are a whole host of benefits to putting in an ISO 27001 management system, such as:
Demonstrating credibility when tendering for contracts
Showing you are taking cyber security threats seriously
Avoiding penalties and financial losses due to data breaches
Removing the need to complete detailed security questionnaires on supply chains
Giving yourself a proven marketing edge against your competitors
Meeting increasing client demands for greater data security
Protecting and enhance your reputation
Proving to all stakeholders such as your suppliers and partners that your - and their - data is secure
Meeting national and global security laws
The majority of organisations will generally have a range of different information security controls in place. However, without a formal ISMS these controls tend to be somewhat disorganised, haphazard and disjointed.
The reason for this is that the controls have often been implemented over a number of years to firefight specific solutions for specific problems. For example, you used one IT company to put up a firewall but get your antivirus software from an online subscription; you use access cards, but it’s only in the last few years you’ve started collecting them from people leaving the company; you’ve started issuing guidelines to new starters that define business practices applying to employee equipment and internet usage, but don’t know if it’s been issued to employees who’ve been with you for a while now.
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
Article originated in The Ideas Distillery blog
ISO News is an aggregator of global media. All the content is available free on the internet, we have just arranged it in one platform for educational purposes only. In each article, the hyperlink to the primary source is included. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – ISOnews713@gmail.com and the content will be deleted within 24 hours.