ISO 27000 is an internationally recognized information security standard. So, how do we get information security standards like ISO 27000 (containing ISO 27001, ISO 27002, and 44 other standards) adopted internationally by thousands of organizations?
Typically, when a bunch of really smart accredited experts, who know a lot of ‘things’ about a lot of ‘things’, get together and say “this is the best way to do this ‘thing’” then you have something called “best practices”.
So, what ‘things’ are we are talking about here?
Information Security and Information Security Management practices.
In this scenario, these accredited experts are the ‘International Organization for Standardization’ or ‘ISO’ for short. This organization consists of member bodies from 165 countries.
These members get together and talk about information security. They formalize thoughts into documents, then documents into standards. They debate and vote on which standards become best practices and voila, you have published best practices like ISO 27000.
Think of the standards they develop “as a formula that describes the best way of doing something.”
The ISO 27000 Formula
The “formula” being discussed in this blog is the ISO/IEC 27000 “family” of standards. More specifically, ISO 27001. At the core of the ISO/IEC 27000 body of standards is ISO 27001. This internationally recognized security standard guides organizations developing, maintaining, and improving an Information Security Management System (ISMS). If you are not familiar with what this means, an ISMS is an organization’s systematic approach to information security. An ISMS focuses on processes, people, and technology. If an organization wants to develop an ISMS, look no further than ISO 27001 for guidance.
The beauty of ISO 27001 is that it treats information security risks facing your organization in a cost-effective way. So, how is this possible? Isn’t cyber security, like, expensive? Not if you approach cyber security systematically.
By following the guidance laid out in ISO 27001 you take a risk-based approach when addressing your information security risks. Considering relevant risks facing your organization empowers you to make smart investment decisions.
Controls, Controls and More Controls
Annex A in 27001 contains a list of 114 adaptable cyber security controls. Expanding on these controls, the ISO published a document called ISO 27002. This document serves as a helpful guide when implementing controls from Annex A. While Annex A tells you what to do, ISO 27002 digs a bit deeper, providing specific objectives and direction concerning how to actually implement the controls. Reading through ISO 27002 helps clarify and reinforce the importance ISO 27001 requirements.
These controls address information security risks organizations might face. However, not all controls are necessary for every organization. By taking ISO 27001’s risk-based approach, organizations can conduct a risk assessment (utilizing ISO 27000’s “ISO 27005” standard), revealing where their biggest risks lie. This enables visibility into which additional controls will reduce the organization’s information security risks to an acceptable level.
We should note here that you’re not locked into the ISO 27005 risk assessment methodology. There are plenty of other risk assessment methodologies like NIST’s Risk Management Framework or OCTAVE. However, ISO 27005 is a great resource to help conduct your risk assessment in alignment to ISO 27001.
Benefits of ISO 27001
This may seem like a big undertaking, so what exactly are the benefits of ISO 27001? Well, allow us to list a few:
- If you have an ISO 27001 based ISMS, your organization protects information assets based upon internationally recognized best practices
- An ISO 27001 based ISMS proves protection of shared information between clients and vendors
- Believe it or not, this benefit alone can win your company business (more on this below)
- Reduces costs to your organization associated with protecting information
- Increased resiliency in the event of a cyber event or business disruption
- Allows flexibility and adaptability to the everchanging threat landscape
Following up on the second bullet above, one thing that hasn’t been mentioned yet is that a company can become ISO 27001 certified.
What does this mean when a company is ISO 27001 certified? It means an independent body audits the organization’s ISMS against the requirements listed in ISO 27001.
Scoping and Certification
When getting certified, you communicate the scope of your ISMS to the auditor. This might mean that only a certain process such as software development, or manufacturing is within the scope of the audit. For smaller organizations, it might make sense certifying the whole organization. For larger organizations, it’s helpful to standardize and certify critical business functions first. The auditor is not going to look at anything outside of the scope. Keeping this in mind, determining scope is one of the most important parts of and ISO 27001 ISMS implementation.
Future proofing your ISMS
In certain business sectors, organizations must prove ISO 27001 certification before entering into partner/vendor contracts. Especially important when considering supply chain information security, many organizations avoid introducing unnecessary risk to their supply chain.
Certifying ISO 27001 compliance helps businesses stand apart from any competition who might not prioritize information security. Experts agree that within the next 5 years, it will be difficult to do business without having a standardized ISMS. The risks associated with bringing on a partner/vendor who does not prioritize information security far surpass any benefit derived from products/services they provide.
When this time comes, will you be able to proudly wave your certificate? Or will you be playing catch-up because security was historically an afterthought? Utilizing the ISO 27000 family of standards is a great way to start future proofing your ISMS.