- Background of the ISO
- Wide Applicability of ISO
- Importance of ISO 27001:2013
- Certified Partnership
You may think of the certifications from the International Organization for Standardization (ISO) as simply a way that IT service providers can demonstrate their adherence to universally accepted practices and principles. Similar to physician board certification or Leadership in Energy & Environmental Design (LEED) certification in construction, ISO information technology standards essentially provide third-party validation so that you don’t just have to trust marketing material.
In fact, ISO isn’t just about figuring out what IT companies deserve your business. It can also be helpful in assessing your company’s own IT policies and procedures.
Background of the ISO
The International Organization for Standardization is the most prominent creator of worldwide standards. The collaborative group essentially creates a commonly understood language of expectations that businesses can use as guidelines to improve themselves and to prove their credibility to potential customers and partners.
The goal of the organization really is to reach across national borders so that knowledge on how to conduct business safely and effectively can be shared unfettered. In 1969, soon after Olle Sturen became the group’s Secretary General, he announced that the mission to globalize technical standards had proven successful: “Political nationalism will most probably prevail for as long as we live,” he said, “And technical nationalism has disappeared!”
The ISO has been around since 1947, incredibly producing almost 20,000 different 100% optional standards that outline best practices for business and technology. Members of the ISO, experts in all fields from more than 160 nations, contribute to the standards. Additionally, a staff of 150 is employed at the organization’s headquarters in Geneva, Switzerland.
Wide Applicability of ISO 27001
ISO 27001 focuses on the management of information security, but that absolutely does not mean that it should only be of interest to tech companies since hacking is a concern of every business (eg, Target in retail, Sony Pictures in entertainment, the US State Department in government).
“ISO standards are applicable to any size of company and any industry,” explained 27001 Academy CEO Dejan Kosutic. “It’s just the philosophy of the ISO standards that they apply to every company.”
Kosutic’s firm trains companies on the ISO standards so that they can more easily get certified. Most of his clients are service providers that want to kill two birds with one stone by making sure their own systems are sound and establishing that fact to business customers (as is the case with Superb Internet) – but again, there’s value in just the first half of that.
Importance of ISO 27001:2013
The purpose of ISO 27001 is to allow companies and other entities to protect any types of information they might want to store or process, including payment data, trade secrets, sensitive worker information, or anything submitted by outside parties.
Although the standard is always helpful in terms of identifying solid IT partners, it’s most helpful for IT departments that are complex, according to Kosutic. To determine if it makes sense internally, a firm has “to ask themselves whether they have confidential information or sensitive information that needs to be protected,” he said. “If it’s on a single computer, then they may not need the standard, but if it’s spread out on multiple systems, then the standard can be very useful.”
Officially referred to as ISO/IEC 27001 (incorporating the knowledge of the International Electrotechnical Commission as well), the ISO’s information security management system standard was updated and released in 2013 to reflect a more stringent approach toward intrusion prevention in an era of increasing criminal hacks.
Cybercrime is only continuing to accelerate since 2013, but research conducted in the United Kingdom provides a glimpse into the global threat landscape at the time of the revision’s publication. The 2013 report, created by PricewaterhouseCoopers (PwC) for the UK government, revealed that almost 9 in 10 small businesses had been hacked within the past 12 months. Many of those attacks exploited the third platform of computing, infiltrating systems through mobile devices and social media.
The ISO, recognizing that the standard was becoming outdated and irrelevant, moved quickly to create parameters that address the vulnerabilities of cloud computing and related technologies. Edward Humphries, head of the working group for ISO 27001, explained that the new version brought it in line with today’s needs. “We have made a number of improvements to the security controls … to ensure that the standard remains current and is able to deal with today’s risks,” he said, “namely identity theft, risks related to mobile devices and other online vulnerabilities.”
The other global update to the standard was that it now integrates better with other standards used to certify management systems. That’s helpful for when an organization has more than one standard to which it adheres – as is the case with Superb Internet, which pairs 27001 with ISO 9001:2008 (Quality Management Systems).
Whether you decide to certify your own organization for ISO 27001 or not, you can easily lower your risk by working with certified IT vendors – especially when cloud computing is involved. At Superb, our entire system is certified to meet the strict guidelines of ISO 27001:2013.
By Kent Roberts