Information security management systems
Introduction to ISO 27001: 2013
ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that describes how to manage information security in a company. The latest revision of this standard was published in 2013 and its full title is already ISO / IEC 27001: 2013.
ISO 27001 can be implemented in any type of organization, commercial or non-profit, private or public, small or large. It is written by the world's top experts in the field of information security and provides a methodology for implementing information security management in organizations. It also enables companies to be certified, which means that an independent certification body has confirmed that an organization has provided information security in accordance with the requirements of international standard ISO 27001.
What is an Information Security Management System?
The focus of ISO 27001 is to protect the confidentiality, integrity and accessibility of information in an organization. This is done by identifying what potential problems can occur with the information (risk assessment) and then defining what needs to be done to prevent such problems (reducing risk or impact on risk). Therefore, the basic philosophy of ISO 27001 is based on risk management: find out where the risks are and then systematically address them.
Precautions (or controls) to be implemented are usually in the form of policies, procedures and technical implementation (eg software and equipment). However, in most cases, companies already have all the hardware and software in place, but they use it in an insecure way - so most of the implementation of ISO 27001 will be about setting organizational rules (writing documents) needed to prevent security breaches. Because such implementation will require the management of multiple policies, procedures, people, assets, etc., ISO 27001 describes how to fit all these elements together into an Information Security Management System (ISMS).
So, information security management is not only related to information technology security (firewalls, antivirus, etc.) but also to process management, legal protection, human resources management, physical security, and so on.
IT alone is not enough. If you work in the IT department, you are probably aware that most problems occur not because computers have failed, but because users use the technology the wrong way. Such violations cannot be prevented solely by technical means and protections - in addition policies, procedures, training, awareness, disciplinary measures, etc. are required. It is proven that the more heterogeneous security measures are applied, the higher the security level is achieved.
In addition, it should be borne in mind that probably not all sensitive information is digital (probably every, or almost every, organization also has information on paper), which means that IT security is inadequate and that the IT department, although key, it is insufficient to achieve a high level of information security.
IT security is only about 50% of information security (according to ISO 27000), which means that not only the IT department has to take part in the deployment, but the entire organization.
What benefits will it bring to my business or organization?
There are 4 main business benefits that a company can achieve by implementing this information security standard:
Comply with legal requirements - there are more and more laws, regulations and contractual requirements regarding information security, and the good news is that most of them can be solved by applying ISO 27001 - this standard gives you the perfect methodology for complying with all of them;
Achieve a Marketing Advantage - If your company is certified and your competitors are not, you may have an advantage over them in the eyes of customers who are sensitive about keeping their information;
Lower costs - the basic philosophy of ISO 27001 is to prevent incidents - any incident, big or small, costs money. Therefore, preventing them will save you a lot of money. And best of all - investing in ISO 27001 is far less than the savings you will achieve;
Better organization - Usually, fast-growing companies don't have time to stop and define their processes and procedures - as a result, very often employees don't know what to do, when and by whom. Applying ISO 27001 helps resolve such situations by encouraging companies to record their core processes (even non-security ones), allowing them to reduce the time lost to their employees.
Where to start?
We are consultants with over 15 years of experience in the implementation, auditing and certification of Management Systems. Together with you we will create the most suitable plan that suits your needs so that you can get the certificate as smoothly and optimally as possible!
If you would like to receive a consultation offer, please click