ISO 27001 Q&A

ISO 27001 Q&A

Why is an information security management system important?

Information (such as a customer database or know-how) is one of the most valuable assets of an organization requiring proper protection. Many organizations lack a comprehensive approach to information security while operating. They are more vulnerable to all kinds of internal and external information security threats. The primary beneficiary of an ISMS is always the top management, as processes are controlled and operation is more secure. Operating a certified ISMS creates customer trust and can be a sales enabler. 

What kind of information can be protected using ISO 27001? 

ISO 27001 is generic, which means it is intended to be applicable to all organizations, regardless of type, size and nature to protect confidentiality, integrity and availability of all types or forms of information. The scope of an ISMS is always a managerial decision. Ideally, an information security management system covers all of the organization, but it can also be used to protect certain processes, sites or types of information only.  

What is the relationship between ISO 27001 and GDPR?  

The goal of GDPR is to protect personal information. Personal information is a category of information that can be protected by setting up an ISO 27001 compliant ISMS. Implementing an information security management system is a good starting point to achieve GDPR compliance. As ISO 27001 controls are general in nature, standards compliance doesn’t necessarily entail GDPR compliance. To achieve GDPR compliance, relevant ISO 27001 requirements must be covered considering the specific GDPR requirements. The ISO 27701 standard contains specific requirements that fit into the ISO 27001 framework to support GDPR compliance. 

What systems and tools are compulsory to achieve ISO 27001 compliance?  

The ISO 27001 standard doesn’t require the use of any specific product or service, it only defines requirements against them. Therefore, the existence of any system or equipment is not a prerequisite of compliance, nor will DACHS force the introduction of any technology or platform. The customer may need to choose, procure and introduce services or products to cover standard requirements – but this is always a result of a risk analysis and the decision of the customer.  

What factors influence DACHS consultancy service fees?

Service fees are always unique, dependent on several factors, such as

  • Management system coverage (number of customer sites, number and complexity of business processes covered)
  • Integration requirements, existence of another ISO management system, such as quality or service management systems,
  • The extent of consultant participation, ranging from merely providing advice on how the customer should carry out its ISMS implementation project to taking over most of the ISMS definition tasks (writing procedures based on interested party interviews, holding internal trainings, etc.)

It is a common misconception that setting up and operating an ISMS is expensive. ISO 27001 controls don’t define what and how to implement, but only the purpose of the control. The organization has to select the way to implement the controls and ISO 27002 is a great standard to get implementation advice. Requirements are more detailed than in the case of quality or even service management systems, but simple questions require simple answers, low-risk areas can be covered by inexpensive solutions.