Certification & Compliance in a Nutshell: What is ISO 27001?

Nutshell

This installment is the fourth in our series on various voluntary standards and mandatory regulations that require certification and compliance from businesses. Tech providers often get auditing of their systems so that their clients can know that they are safe and will stay within legal parameters.

Today we focus on ISO 27001, a standard of the nonprofit, globally recognized International Organization for Standardization:

  • What is ISO 27001?
  • ISO 27000 Family – RelatedStandards
  • What are the ISO & IEC?
  • Benefits of Certification
  • Planning Process & Main Sections
  • Conclusion.

What is ISO 27001?

This standard is actually called the ISO/IEC 27001, since its development is shared between the ISO and IEC (discussed briefly below). The topic is information security management – so essentially, this standard is designed to help organizations keep their data safeguarded against intrusion and/or theft.

“Using this family of standards will help your organization manage the security of assets,” explains the ISO, “such as financial information, intellectual property, employee details or information entrusted to you by third parties.”

This standard is the most widely used one in the 27000 group, a family that establishes proper design and use of an information security management system (ISMS).

An ISMS is a strategic, structured way to frame administration of confidential data, avoiding vulnerabilities and compromise. It assesses risk throughout the enterprise, including the employees, tasks, and computer networks.

Any size of organization, regardless of industry, can use the standard for protective purposes, according to the ISO. The latest version, as of January 2015, is ISO 27001:2013.

The ISO notes that while certification to its standards is entirely optional, many organizations decide to get certified, for two main reasons:

  • Go through the process to improve internal mechanisms so that the business is more secure.
  • Let clients know that the independently available and objective guidelines of ISO 27001 have been implemented.

This standard was created, per the ISO, to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”

ISO 27000 family – Related Standards

Like other major standard bodies, the ISO bundles its standards into subject-specific series, such as ISO 27000, which describes best practices for an ISMS.

Other standards within development by the ISO, according to BSI Group (the British Standards Institution), include:

  • 27003 – This standard helps organizations initiate an ISMS.
  • 27004 – This standard offers metrics to optimize the system.
  • 27005 – This standard focuses on assessing and limiting risk.
  • 27006 – This standard helps accreditation organizations understand proper steps for certification and registration.
  • 27007 – This standard describes how an ISMS should be audited.

What are the ISO & IEC?

The International Organization for Standardization, ISO, is a worldwide nonprofit headquartered in Geneva, Switzerland. As an association with almost 20,000 standards and members in 166 nations, the ISO is the most recognized and most widely used standardization body on the planet. The organization, which is led by a Central Secretariat operating out of Switzerland, creates guidelines for sourcing, producing, deploying, managing, and delivering consumables, services, and mechanisms. Its catalog of guidelines is pivotal in standardizing and streamlining global trade, improving efficiency, and enhancing safety.

The International Electrotechnical Commission (IEC), established in 1906, develops standards and conformity assessments that allow electronic parts and products to operate and integrate safety and effectively. Although the ISO is the most widely recognized standardization association for general subject matter, the IEC describes itself as “the world’s leading organization for the preparation and publication of International Standards for all electrical, electronic and related technologies.”

Benefits of Certification

The British Standards Institution notes that properly securing data allows companies to focus on building, developing, and fostering greater customer relationships with the peace-of-mind that sensitive data is not at risk. BSI Group lists five major specific benefits of ISO 27001:

  1. Determine any vulnerabilities and implement plans to resolve or minimize them.
  2. Choose what mechanisms will work best for each of your divisions.
  3. Impress partners and clients, easing their information security concerns.
  4. Show that you comply with regulations and earn greater vendor credibility.
  5. Decrease your liability through  respected third-party compliance rules.

Planning Process & Main Sections

This standard “uses a topdown, risk-based approach and is technology-neutral,” according to Margaret Rouse of TechTarget. Grouse describes the six steps listed within the standard to create and test your systems for an optimized ISMS:

  1. Create your policy to protect data.
  2. Establish the parameters of your information security management system.
  3. Carry out a risk assessment.
  4. Determine how to resolve vulnerabilities.
  5. Decide what controls are intended to achieve and which ones to enact.
  6. Write out any refinements and deployment decisions to set the ISMS into action.

Conclusion

We focus on certification and compliance in this blog series because that’s one major way that we have differentiated ourselves from our competitors. We are one of the only hosting services with such a broad spectrum of third-party credentials, including SSAE 16, ISO 9001:2008, ISO 27001:2013, ITIL, HIPAA, FISMA, and Sarbanes-Oxley.

By Kent Roberts