ISO 27001 – what you need to know
Perhaps you have heard about the ISO International Standards? Most people know ISO 9001, which specifies requirements for a quality management system in organizations. However, ISO covers a wide area of standards. ISO 27001 deals with information security management and helps organizations keep information assets secure.
What is ISO 27001?
ISO is the International Organization for Standardization, an independent non-governmental organization founded in 1947. ISO 27001 is an Information Security Management System (ISMS) and is part of a series of standards within information security. ISO has developed more than two thousand standards and documents that covers most industries including technology, food safety, agriculture and healthcare. The first ISO 27001 was published in 2005 as a revision of BS 7799, and in 2013 an updated version of the 2005 standard was released. Updating the ISO series of standards is executed by international expert groups that periodically determine the need for revision. ISO 27001 emphasize the importance of the commitment and responsibility of the management, and the decisions on which procedures should be implemented and how to implement them.
There are not direct demands in relation to security measures in ISO 27001. Organizations are different, and the ISMS should be adjusted to the individual risk profiles. ISO has provided a list of possible controls within the standard that can be implemented to achieve a fitting security level, though the list is not complete. Some organizations might need to implement other controls, depending on the type of organization and the security needs. ISO 27001 is strongly related to ISO 27002 that describes a good practice for information security.
Advantages of compliance
Complying with ISO on information security management ensures consistency in the security process. Being ISO 27001 certified not only ensures a high standard within information security management, it can also create other values like credibility, trustworthiness and goodwill. With the high level of security management that an ISO 27001 certified ISMS system requires, certified organizations can ensure their customers that they have a high level of security in their ISMS. The certification creates value by the systematic approach to control of risks, which can also contribute to optimization of security precautions as well as the costs related to these.
In 2015 more than 1.5 million ISO certificates were issued, which was an increase compared to 2014. ISO standards like ISO 9001 and 14001 can be applied in nearly all organizations as they deal with management systems, and he high number of certifications can be explained by ISO standards like 9001 and 14001. ISO 27001 certification can be difficult to obtain due to the high standards, and only few organizations in Denmark are certified. Nevertheless, many organizations choose to follow the standard without being certified as it still represents good practice.
VIA University College in Denmark follows the ISO 27001 standard. By using Impero, they have achieved ISO 27001 compliance and streamlined their IT general controls (ITGC). To learn more about how VIA follows this standard, read our case story: ISO 27001 Compliance and it general controls (ITGC) streamlined at VIA university