Generally speaking, most organisations and businesses will have some form of controls in place to manage information security. These controls are necessary as information is one of the most valuable assets that a business owns. However, the effectiveness of such a policy is determined by how well these controls are organised and monitored. Many organisations introduce security controls haphazardly: some are introduced to provide specific solutions for specific problems, whilst others are often introduced simply as a matter of convention. Such a random security policy will only address certain aspects of IT or data security, and can leave valuable non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. The ISO/IEC 27001 standard was introduced to address these issues.
What is ISO 27001?
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organisations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard. ISO/IEC 27001 requires that management:
- Systematically examines the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts.
- Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
- Adopts an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.
Why is ISO 27001 so important and what business benefits does it offer?
The business benefits from ISO 27001 certification are considerable. Not only do the standards help ensure that a business’ security risks are managed cost-effectively, but the adherence to the recognised standards sends a valuable and important message to customers and business partners: this business does things the correct way. ISO 27001 is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system and will unquestionably give partner organisations and customers greater confidence in the way they interact with your business.
- ISO 27001 is the de facto international standard for Information Security Management
- It demonstrates a clear commitment to Information Security Management to third parties and stakeholders
- It can provide a framework to ensure the fulfilment of commercial, contractual and legal responsibilities
- It provides a significant competitive advantage, and can effectively be a license to trade with companies in certain regulated sectors
- It provides for inter-operability between organisations or groups within an organisation
- It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.
The Krypsys approach to ISO 27001 compliance
Our approach in the majority of ISO 27001 engagements with clients is to firstly carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This provides us with a clear picture of the areas where companies already conform to the standard, the areas where there are some controls in place but there is room for improvement and the areas where controls are missing and need to be implemented. For some organisations this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and project management for the implementation of suitable controls in order to qualify for the documentation that will be required to meet the standard, in preparation for any external certification.