What is ISO 27001, and why is it so important?
ISO 27001 is the most recognised and respected standard that sets out the specifications for an information security management system (ISMS). Due to various changes in social, technological and environmental reasons, organisations increasingly have to rely on information technology and therefore, have to show they can be trusted with the information and data that they hold on behalf of their customers.
According to the standard, ISO 27001:2013 was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS.
An organisation that is certified to ISO 27001:2013 demonstrates that they have identified risks concerning the information that is specific to the business, and that they have put in preventative measures or controls to protect the organisation from information security breaches.
Those controls are outlined within Annex A of the standard. In Annex A there are 114 Controls that have been divided into 14 categories:
14 Control Sets of Annex A
A.5 – Information security policies: To Provide management direction and support for information security in accordance with business requirement and relevant laws and regulations.
A.6 – Organisation of information security: To establish a management framework to initiate and control the implementation and operation of information security within the organisation.
A.7 – Human resource security: Ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
A.8 – Asset Management: Identifying information assets and defining appropriate protection responsibilities.
A.9 – Access Control: Ensuring that employees can only view information that’s relevant to their job role.
A.10 – Cryptography: The encryption and key management of sensitive information.
A.11 – Physical and environmental security: Securing the organisations' premises and equipment.
A.12 - Operations security: Ensuring that information processing facilities are secure.
A.13 – Communications security: How to protect the information in networks.
A.14 – System acquisition, development and maintenance: Ensuring that information security is a central part of the organisations' system.
A.15 – Supplier relationships: The agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
A.16 – Information security incident management: How to report disruptions and breaches, and is responsible for certain activities.
A.17 – Information security aspects of business continuity management: How to address business disruptions.
A.18 – Compliance: How to identify the laws and regulations that apply to your organisation.
Organisations are not required to implement all 114 controls of ISO 27001. However, they do assist in helping you to identify risks that may affect your business and the controls that you would need to implement to resolve these.
ISO 27002 can provide further detail with the information security controls and should be used as a supplementary standard to ISO 27001:2013.
Benefits of becoming certified to ISO 27001
As information is one of your organisations most valuable assets, becoming certified to ISO 27001 provides the following benefits:
· Improved management processes and integration with corporate risk strategies
· Increased business resilience
· Improved customer and business partner confidence
· Alignment with customer requirements
· Improved reliability and security of systems and information.
Achieving certification with AvISO also shows that your organisation has:
· Been independently assessed to an international standard based on industry best practices
· Assessed the risks and thus mitigated the impact of any breaches within the management system
· Ensure that the information you hold is accurate and can only be modified by authorised users
· Protect that information from getting into unauthorised hands
Key benefits of working towards an ISMS with AvISO
With implementing ISO 27001:2013, the following key benefits will be provided:
· Improved Confidentiality, Integrity and Availability (CIA) of information
· GDPR and other legal compliance
· Business Continuity
· Cyber awareness
· Improved brand reputation
· Less paper/hardcopies
· Continuous improvement of technology and business processes
Along with the above AvISO will also help with:
· Determining the key project deliverables and the creation of a project timeline.
· Support the development of key policies and procedures that are required for ISO 27001:2013
· Support with key records that are required, such as, a statement of applicability or a risk treatment plan.
The good news is that ISO 27001 aligns with any current ISO management system that your business currently has in place; this is in part due to the Annex SL Structure.
There are various significant benefits to ISO 27001, and they easily outweigh the cost of having a professional information management system. The return on investment can be much more attractive than most business growth initiatives. This is especially important in today’s marketplace.
To find out how AvISO can help you implement ISO 27001 or improve your system further, information is available on our website. We also have several testimonials from clients who we have worked with in the past and continue to support into the future.