ISO 27001:2005 (Request a Quote)
ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a model for risk assessment, security design and implementation, and security management. The ISO 27001 standard specifies implementation and management guidelines to help keep your digital and paper information safe.
ISO 27001 is the only international auditable standard for Information Security Management Systems. It provides independent assurance that your organization complies with legal, statutory, regulatory, and contractual requirements bearing sensitive information. Obtaining an ISO 27001 certification proves that you have taken necessary steps to protect sensitive information against unauthorized access.
The Need for Information Security
Today, Information Technology (IT) is an essential and complex element of almost every organization. IT integrates everything from the email you send, to the documents you create, to the information you keep on clients and suppliers.
With the proliferation of connected devices, it has become easier for individuals to access this information on a global level. With greater ease of access, however, it also becomes easier for unauthorized users to obtain your organization’s private data.
If we consider current events and world news, they all scream with names of IT perpetrators such as Julian Assange, the whistleblower who released thousands of private diplomatic cables on his organization’s website, “Wikileaks”. The release of these sensitive documents allegedly compromised governmental intelligence, placing lives in jeopardy. In the private sector, we hear of large corporations such as American Airlines, who just recently had over 350 credit card numbers stolen from their passengers. The thief? — One of American Airlines’ clerks. Frighteningly enough, credit card theft on such a level is certainly not an isolated incident.
What is an Information Security Management System?
From internal emails to sales materials to financial statements, organizations of all sizes from all industries deal with large amounts of information each day. To an organization like yours, this information is a competitive advantage – it’s how you solve problems, land big clients, and grab your share of the market. The goal of an Information Security Management System (ISMS) is to protect the information that differentiates your business, both online and in person.
Principles of an Information Security Management System
While the implementation of an ISMS will vary from organization to organization, there are underlying principles that all ISMS must abide by in order to be effective at protecting an organization’s information assets. These principles – a few of which are mentioned below – will help guide you on the road ISO/IEC 27001 certification.
The first step in successfully implementing an ISMS is making key stakeholders aware of the need for information security. Without buy-in from the people who will implement, oversee, or maintain an ISMS, it will be difficult to achieve and maintain the level of diligence needed to create and maintain a certified ISMS.
In order for an organization’s ISMS to be effective, it must analyze the security needs of each information asset and apply appropriate controls to keep those assets safe. Not all information assets need the same controls, and there is no silver bullet for information security. Information comes in all shapes and sizes, as do the controls that will keep your information safe.
Implementing an ISMS is not a project with a fixed length. To keep an organization safe from threats to your information, an ISMS must continually grow and evolve to meet the rapidly changing technical landscape. Therefore, continual reassessment of an Information Security Management System is a must. By frequently testing and assessing an ISMS, an organization will know whether their information is still protected or if modifications need to be made.
These are just a few of the principles that guide the implementation of an Information Security Management System. For more information, contact PJR at 1-800-800-7910 or firstname.lastname@example.org to talk to the experts.
Information Security is a Management Function
While there are many technical aspects of creating an Information Security Management System, a large portion of an ISMS falls in the realm of management.
One of the weakest links in the information security change is an employee – the person who accesses or controls critical information everyday. An ISMS must include policies and processes that protect an organization from data misuse by employees. These policies must have the backing and oversight of management in order to be effective.
In addition to formal policy and process changes, management must also change the culture of an organization to reflect the value it places on information security. This is no easy task, but it is critical to the effective implementation of an ISMS.
Information Security Management is a process
Just as organizations adapt to changing business environments, so must Information Security Management Systems adapt to changing technological advances and new organizational information. In order to adapt to these changing conditions, ISO/IEC 27001 takes a process approach to an ISMS by utilizing the Plan-Do-Check-Act methodology.
Overview of Certification
An Accredited Registrar such as PJR (insert contact link) may certify your ISMS to ISO/IEC 27001. Such certification provides your organization with the credibility needed to do business into today’s information-rich world. Like many other ISO standards, ISO/IEC 27001 certification involves a three-stage audit process:
Informal Review of ISMS – In the first stage of your ISO/IEC 27001 audit, auditors will do an informal review of your ISMS. This review will include actions such as checking for the existence of key ISMS documents and reviewing the overall ISMS. The goal of this stage is to familiarize the auditors with your organization and for you to get to know the auditors.
Formal Conformance Audit – The second stage of your ISO/IEC 27001 audit is the formal audit. This is a thorough and detailed review and test of your Information Security Management System against the ISO/IEC 27001 requirements. During this phase, auditors will interview key employees to test their understanding of your ISMS. Provided your organization’s system complies with the ISO 27001 standard, this audit will result in your ISMS being certified to ISO/IEC 27001.
Follow-up Audits – The final stage of ISO/IEC 27001 certification is a recurring audit to ensure that your ISMS is continually being evaluated and improved. A follow up audit – done at least annually – is meant to confirm that your organization remains compliant with the standard. These audits may be done more frequently in the beginning, particularly while your ISMS is still maturing.
Deciding to pursue a certified Information Security Management System is a big step for any organization, but the potential rewards are great. Armed with a certified ISMS, your organization will be able to bid contracts more competitively, attract more customers, and ensure all stakeholders that the information that keeps your business running is protected.
ISO/IEC 27001 Background
ISO/IEC 27001 was not the first ISMS standard. In 1995, BSI Group published BS 7799. At this time, the BS 7799 standard described best practices for Information Security Management. In 1999, BSI published the second part of BS 7799 – BS 7799-2 – which focused on how to implement an ISMS.After a revision in 2002, BS 7799-2 incorporated the Plan-Do-Check-Act quality assurance model, which aligned it with standards such as ISO 9000. This version of BS 7799-2 was then adopted by ISO in November 2005, becoming ISO/IEC 27001.
Benefits of ISO 27001
Gaining a 3rd party certification to ISO 27001 involves many benefits to both your organization and its stakeholders.
For one, ISO 27001 certification will enhance the credibility of your organization. With the integrity of your data and systems certified by a 3rd party, clients, suppliers, and other stakeholders can have confidence that your organization has taken the necessary measures to protect its information. In addition to giving peace of mind to your current clients, ISO 27001 can also help to attract new, security-conscious customers.
ISO 27001 certification can also strengthen the sense of confidentiality throughout the workplace. This is important when vital information is not only kept on servers and hard drives, but also accessed and remembered by individuals in your organization. ISO 27001 certification can transform your organization’s culture, making it one that values your firm’s private data.
Who needs ISO 27001?
Any organization that holds sensitive information is a candidate for ISO 27001 certification. In particular, companies in the healthcare, finance, public, and IT sectors can benefit greatly from a certified ISMS.
For more information on ISO 27001 click here.