ISO/IEC 27001 is the leading international standard focused on information security. This standard is published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.
ISO-27001 is part of the ISO/IEC 27000 series of standards developed to handle information security.
ISO 27001 was developed to help organizations, of any size or any industry, protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
The standard provides companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and prove to its customers and partners that it safeguards their data.
Individuals can also get ISO 27001 qualifications by attending a course and passing the exam and, in this way, prove their skills to potential employers.
ISO 27001 is an international standard and is easily recognised all around the world. This global recognition increases business opportunities for organisations and professionals.
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorized persons have the right to access information.
- Integrity: only the authorized persons can change the information.
- Availability: the information must be accessible to authorized persons whenever it is needed.
These goals are achieved through the use of an Information Security Management System (ISMS). An ISMS is a set of rules that a company needs to establish in order to:
- identify stakeholders and their expectations of the company in terms of information security
- identify which risks exist for the information
- define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
- set clear objectives on what needs to be achieved with information security
- implement all the controls and other risk treatment methods
- continuously measure if the implemented controls perform as expected
- make continuous improvement to make the whole ISMS work better
- This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.
Implementing this standard helps an organisation to achieve four essential business benefits:
- Compliance with legal requirements
- Achieving competitive advantage
- Lower costs (through lowering the likelihood and impact of risks)
- Better organization (generally more process-driven, and more secure).
The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment). So the primary philosophy of ISO 27001 is based on a process for managing risks. Find out where the risks are, and then systematically treat them, through the implementation of security controls (or safeguards).
The ISO 27001 lists 114 controls (or safeguards) in 14 dimensions. These controls are practices, implemented to reduce risks to acceptable levels. These controls include technical, organizational, legal, physical and human aspects of information security.
Join us at Symphonise Consulting for our next ISO 27001 training course, follow our website and social media channels for news.
Etienne Shardlow is CEO of Symphonise Consulting. With 25 years of experience in Information Technology, Etienne is our lead trainer and senior consultant. He is qualified in numerous best practice frameworks and methodologies in the project management, governance of IT, change management and IT Service Management space. He is a certified ITIL Managing Professional and ITIL Expert.