ISO 27001 – What is it about?
ISO 27001 is an international standard that deals with the implementation and continual improvement of information security controls at an organization of any size and business profile. This standard covers the handling of every aspect of information artifacts, for example supplier contracts, project documentation, voice recordings of meetings or customer databases.
The basic principles built into the standard include the awareness of the need for and the assignment of responsibility for information security, the active prevention and detection of information security incidents, a comprehensive approach to security management, the continual reassessment of information security and the making of improvements as appropriate.
Applying a standard to approaching information security means using a systematic, structured method, based on proven best practices. The standard has two major parts:
- The body of the standard describes a framework to identify and mitigate security risks. In the ISO terminology it is called a management system, which consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, dedicated to the protection of its information assets. Topics cover management commitment, documentation requirements, continual improvement, etc.
- A compulsory annex to the standard (Annex “A”) lists requirements that must be addressed. Controls cover topics like human security, incident management, access control, and business continuity. The definitions of these controls answer the question what, but not the question how. This means the organization that wants to fulfil a requirement is not tied to a single implementation method or tool. This is due to the consideration that every organization is different. And that means cost efficiency – if a given risk is considered low for an organization, there is no need for costly measures.
ISO 27001 is an ideal tool for managers who do not want to take the risk of mismanaging information, wish to optimize information security spending and want to prove their customers that their organization is worthy of their trust.