ISO 27001 is actually the first of a family of international standards called ISO/IEC 27000 and it provides the specifications for the information security management. The ISO 27002 Code of Best Practice is strictly related to ISO 27001 which provides guidance on international best practice in information security management from around the world. The framework of ISO 27001 and ISO 27002 is used to manage risks which is related to all the information security subject areas that might result in an effect in business, from external threats (hackers, virus, etc.) to internal threats (employees, fraud, etc).
In order to demonstrate a solid posture in regards to information security, the organizations with an international presence and subsidiaries of European and American companies that are located in a foreign country must be interested in obtaining ISO 27001 certification.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).
What is an ISMS?
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
It can help small, medium and large businesses in any sector keep information assets secure.
The certification of ISO 27001 remains valid for 3 years and provides an organization with the following benefits:
- To help in creating trust in business relationships, it demonstrates that effective security controls are in place or not.
- It does improvement on security controls with a continuous and methodical approach.
- It is enable to provide directors of US and UK-listed companies with evidence of meeting the requirements of the Turnbull Guidance, Combined Code, Sarbanes Oxley and other legislations.
- It enables organizations outside of the UK and US for demonstrating compliance with national and international data privacy and data protection legislations.
The Way To Certification
In order to achieve compliance, the ISO 27001 requirements are mandatory but ISO 27002 provides suggestions on how to improve controls but are not required for compliance.
The following obstacles might create roadblocks without proper planning for an effective ISO implementation:
In order to be compliant to ISO 27001, the employees are required to embrace new security controls which are introduced by the standard and this organizational change could also affect company culture.
Due to the active involvement of top management and board of directors in the project implementation, it could add up unanticipated layers to the process.
The compliance of ISO 27001 projects can be seen as solely an initiative of the IT department rather than an importance to the entire organization.
The project can be seen as just additional workload and so its benefits may be overlooked.
Proper communication in addition at all levels of the organization about the project’s requirements, benefits, etc. will be needed.
The technical expertise and work needed may be beyond in-house resources.
Getting The Job Done- Initial Approach
The implementation and design of ISMS is more a management role than a technological one and in order to succeed in that, the project must have enough resource and the project leader will need to:
Have communication to all levels of the organization and let them know why information security is important for the company and the benefits of being ISO 27001 certified.
Know how the project needs to be structured and what the key elements/requirements are.
Know where and how to find the necessary help.
At Appknox, we ensure that our security audits cover all the necessary requirements as per ISO 27001 as well. This ensures that our customers not only get to know what issues they have but can also understand what they need to do to make sure they meet necessary requirements as per ISO 27001.