What is ISO 27001?

ISO 27001 is an international standard for setting up an Information Security Management System (hereafter ISMS) and the necessary requirements. It was introduced by the International Organization for Standardization in 2005 and has since been revised 3 times.

The standard is set up according to a harmonised structure and it’s applicable to all forms of organisations. The Standard aims to secure processes, people, and technology through three cornerstones of information security: the confidentiality, integrity, and availability of information through a risk management process to adequately manage risks.

• Confidentiality (C): the organisation’s data and systems need to be protected from unauthorised access via means of technical controls, e.g., multifactor authentication and encryption.
• Integrity (I): relates to the accuracy, trustworthiness, and completeness of data. It means that data cannot be altered or tampered with in an unauthorized or unintended manner, and that it remains consistent and trustworthy over time.
• Availability (A): the organisation’s data needs to be always accessible. Regularly performing updates, having back-ups, having a business continuity plan in place can prevent the data not being available.

ISO 27001 and GDPR

While GDPR is a regulation that protects personal data and ISO 27001 covers Information Security Management, there’s quite some overlap between the two. As an ISMS manages the security of all information assets within the company, including personal data, the many technical and organisational measures as required by article 32 of the GDPR are covered.

A crucial element of ISO 27001 is risk management.  It requires organisations to perform risk assessments and risk treatments through the implementation of information security controls. As the GDPR requires to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, ISO 27001 can help you with that.

Lastly, as the GDPR requires organisations to appoint a DPO, so does ISO 27001 require you to assign and communicate roles relevant to information security. Organisations often appoint a CISO (Chief Information Security Officer) in this case, who is responsible for the overall management of all security functions. The CISO can also take on the role of DPO and oversee GDPR compliance if they don’t have a decision-making power in determining the purposes and means of processing personal data.

ISO 27001 best practices

First and foremost, it’s important to keep in mind that the certificate itself cannot be the goal. The certificate doesn’t mean you’re secure, it’s the procedures, controls, and security measures you implement to protect your data, that will result in a secure ISMS, and ultimately in the ISO 27001 certificate.

After you decided that you want your organisation to get certified, the first priority is to define the correct scope, based on your organisation, its needs, and the business processes.

Remember to not only involve top management, as they’re necessary to oversee, support and direct the ISMS, but also employee engagement is necessary. Your employees are essential in not only the implementation of all procedures and controls, but also in maintaining the effectiveness of the ISMS once it’s operative.

Lastly, keep it simple and make use of what you already have. There’s no need in setting up new policies or a document management system if you can incorporate the ISO 27001 requirements into existing procedures and documents.

How ISO will benefit your organisation

There are a couple of major benefits to implementing an ISMS like ISO 27001:

1. Secure information protection of crucial data

The ISMS ensures the protection of crucial data via the three cornerstones of information security (Confidentiality, Integrity, Availability), and it reduces the risk of security breaches.

2. Improved resilience to cyber-attacks

By implementing ISO 27001 you have a range of policies, procedures, controls, and guidelines in place to detect, solve, and prevent future cyberattacks in a structured way.

3. Continuous improvement

The Standard is based on the PDCA (Plan-Do-Check-Act) cycle, also known as the Deming Wheel, which is all about continuous improvement. Each part of the cycle aids in the long-term establishment and stability of the ISMS.

4. Global recognition

The ISO 27001 Standard is internationally recognised as one of the benchmarks for information security management. Being ISO 27001 certified means that you as an organisation are compliant and strive to confirm to the CIA triad. As a result, it creates trust with not only your customers, but also your suppliers.

5. Easier global privacy compliance

Holding the ISO 27001 certificate means you already comply with a standard that holds legal and regulatory requirements. Not only the GDPR, but also other data protection legislations from Canada, California, Australia, and Brazil are taken into account.

It’s no surprise the ISO standards are widely known and accepted. The past couple of years organisations started seeing the importance of an ISMS, both for the internal organisation, as for winning the clients’ and suppliers’ trust. The importance ISO 27001 puts on risk management, policies, controls and procedures instils trust and confidence.

Are you ready to put more trust in your organisation’s security system, or would you rather risk that 30% chance of precipitation?