In the 21stcentury, information security is paramount in every type of business. From client details to account data, information in the wrong hands can be dangerous both to you as a business and your client base. Moreover, the Data Protection Act 1998 legislates against the mismanaging information and data is against here in the UK adding further onus on companies to implement careful data security controls.
The most popular international standard information security is ISO 27001, published by the International StandardisationOrganisation in 2013. It supersedes the original revision of the standard that was published in 2013 and derives from the principles set out in the British Standard BS 7799-2.
The standard provides a framework for organisations of all shapes and sizes to implement information security, with advice on methodology, best practise and acceptable levels of security. If an organisation is fully compliant with the framework set out in the standard, it can apply for certification from an independent body; something an increasing number of organisations have done over the past couple of years.
The main aim of the ISO 27001 standard is to safeguard an organisation’s data whilst maintaining its availability, confidentiality and integrity. This is achieved via a philosophy or risk management; discovering risks in an information management system and then taking steps to mitigate them.
These mitigating steps are usually a combination of introducing new policy or operating procedures, technical implementations such as new hardware or software solutions and education programmes for staff and clients. An example of a mitigating step might be a switch to storing an organisations client information in ISO 27001 certified virtual data rooms from on-site data storage or information stored on a local network. Organisations such as www.projectfusion.com provide accredited VDR solutions for organisations in a number of sectors and of a range of sizes.
Whilst software solutions such as firewalls and anti-virus packages form part of a company’s move towards ISO 27001, the framework requires a certain level of process management, legal protection and even physical protection of data storage sites. The standard describes how to implement a holistic security management system that encompasses everything from drawing up relevant documentation to implementing solutions on the ground in order to protect information across the entire organisation.
Implementing the standard can bring about a number of benefits for any organisation, large or small.
Firstly, implementing ISO 27001 is a great stride in becoming compliant with UK data protection laws. The standard ensures an organisation complies with the various articles set out in the Data Protection Act as well as other relevant legislation.
The standard is also designed to bring down an organisations operation costs. By being more organised and having standard policies and procedures in place a firm can expect fewer risk breaches, greater efficiencies and a bottom line saving on operating expense.
Finally, clients and suppliers look upon organisations with ISO 27001 accreditation with favour. In many cases a firm compliant with the standard will have a market advantage over their competitors as a more trustworthy, organised institution.
The standard is formed of three introductory sections that are for informational purposes and are not required for certification, followed by seven mandatory sections in which all requirements set out must be implemented if a company wishes to be compliant. There is also an Annex A with additional controls that should be implemented where relevant.
The first three sections contain information on the scope of the standard along with a number of key terms and definitions. The following sections detail the requirements a company should fulfil from planning, through implementation and leadership to support and improvement of policies and procedures.
The latest standard of ISO 27001 places a greater emphasis on the later sections of the standard, detailing the steps a company should take to evaluate and improve their information security management system once it has been implemented. It makes room for continuous improvement processes such the Define – Measure – Analyse – Improve – Control (DMAIC) methodology from the Six Sigma toolkit.
There are two types of ISO 27001 certification; one for individuals and one for organisations.
The former is achieved by attending one of several ISO 27001 recognisedcourses. The most popular are the Leader Auditor Course (5 days), Lead Implementer Course (5 days) and the Internal Auditor Course (2 – 3 days). The latter is a beginners course, designed to teach the basics of the standard whilst the former two are for IT security professionals, auditors and consultants.
Organisations must implement the standard as previously described before going through a certification audit provided by an independent body. The audit involves three stages. Firstly auditors will scrutinise the organisation’s documentation. The second stage involves auditors visiting the organisations site for inspection and audit. The final stage is on-going over the course of the accreditation and involves surveillance visits from ISO 27001 auditors.