ISO 27001 represents a fundamental commitment to IT security.
ISO 27001 is for information security what ISO 9001 is for quality – but it’s much bigger. ISO 27001 has been established by the world’s top experts in the field of information security to provide a methodology for the implementation and management of information security in an organisation. It also enables an organisation to achieve accreditation, where an independent certification body confirms that information security has been implemented in the best possible way.
The ISO 27001 standard is a signal that an accredited business is not only taking information security seriously but is committed to continuously upholding that standard. ISO 27001 requires a great deal of commitment to achieve and so if you have the choice between a supplier who is accredited and one who isn’t, go for the one who’s dedicated to keeping a high standard of security.
But the ISO standard isn’t just for checking if a provider is any good, it’s an essential step for any business to take. Therefore, it often comes as a surprise how many business leaders and IT managers seem to be unaware of the standard and the value that it brings.
The requirements of ISO 27001 describe best practices for an ISMS (information security management system), which is a system of processes, documents, technology and people that helps protecting the business and its assets, particularly around key IT security areas that include:
- Confidentiality
By limiting information access and disclosure to authorised users/entities only, and by preventing access by or disclosure to unauthorised users/entities.
- Integrity
By ensuring that data has not been changed inappropriately, whether by accident or deliberately, i.e. maliciously. This concept also includes “origin” or “source” integrity. For example, ensuring a company can confirm that any data they receive has actually come from the person or entity identified as the sender.
- Availability
By ensuring that all key information resources are available. The loss of key data or downtime on one IT system could put the entire business at risk.
Conclusion
In order to maintain ISO 27001certification, companies must go through an annual external review process and three-year recertification during which they must demonstrate continual improvement of the ISMS. When a new revision of the standard is published by ISO, companies must transition to the new version to retain compliance. These requirements drive an accredited company to strive for excellence in maintaining and implementing an ISMS. It also assures customers that the commitment to maintaining confidentiality, integrity, availability, and privacy of their data is ongoing and will be further evaluated by independent auditors.
