What is ISO27001?
ISO 27001 is a specification for an information security management system (ISMS) published by the International Organization for Standardization (ISO). An ISMS is a framework of policies, procedures, processes, and various technical controls that set the information security rules for an organization.
It's hard to imagine a 'good time' to receive customer requests for an independent certification of your organization's controls. However, with the right mindset, it can be a power for good. If a customer never asked for a review, you may not have found that glowing, flashing, red, problem hiding in the corner of the environment that, had it gone unnoticed, may have been the reason your organization's name ended up on the news.
As a security professional, I’d like to see all organization leverage frameworks like ISO27001 to ensure that they have a properly implemented ISMS. But, like most things, frameworks and certifications vary from one to the other.
Certain audits, like a SOC Audit, are often easier to obtain, can be less expensive, and the timeline is often shorter. These can be compelling reasons for many organizations – especially those who view an audit as “checking the box”. However, I think it’s important to note that SOC Auditing standards are not a security framework and may not help your organization prevent or respond to data breaches.
Pros of ISO27001
- ISO27001 can help protect your organization’s data and reputation. Data breaches can be expensive with hard costs such as fines. The cost of a reputational hit is hard to measure. For a small to medium sized business a breach could have a huge impact.
- An ISO27001 Certification can be a competitive advantage over similar organizations that are not certified.
- ISO27001 is an international standard for managing Information Security that is globally recognized, which is important if you do business with companies outside of the United States.
I have worked with organizations that implemented an ISMS based on ISO27001 without going through the certification process, but simply because they recognized the need for better security and cyber resilience. However if you want to be certified, you’ll need to be able to show that you have defined security processes in place. You need to show who is responsible for what. You also need to demonstrate what you are doing to manage risk and how you would handle a breach if one is detected. Frankly, ISO27001 requires that you’ve given data protection the attention it deserves, and you continue to do so on an ongoing basis.
To be certified you must follow the certification process that includes an assessment by an organization approved to perform ISO27001 certification and also have an audit of your ISO27001 ISMS performed independently.
The ISO27001 standard has a good deal of flexibility however there are some hard and fast requirements:
- Define the scope of your information security management system in a statement of applicability.
- Develop security policies, procedures, and supporting processes.
- Implement a risk assessment / risk treatment process.
- Assess skills required and competency of resources.
- Conduct training and maintain records of training on general security awareness and more specific security role-based training.
- Conduct audits of your information security management program (this is not the same as the actual certification assessment).
Send Us Your Comments
What did you think of this article? Send us a note to let us know what you liked, would like to see more of, or what we can do better. And don't be surprised if we reach back out with a small 'thank you' gift for your feedback.