Some time ago a friendly colleague reached out to me asking about ISO 27001. The questions were simple but got me thinking. I then realized that there could be others who would have similar questions and if I put some of that information in a blog, it could reach a wider audience.
So, what is ISO 27001?
“ISO 27001 (formally known as ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.”
Simply put, ISO 27001 is a standard and there are many others across the IT/Information/Cyber Security industry.
A standard is nothing but a set of requirements one must have in order to have some uniformity and quality. Depending on your needs, this uniformity could be applied to a team, a department or an entire organization. The standard is pretty much based around security best practices and what one should do if they would want to align security within their organization (or elsewhere).
Alright then, what is ISMS?
An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization’s sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.
Oh no! Not again.
Simply put, it is how one manages security and associated risks. It focuses on commitment from leadership, documentation, risk management, auditing, improvements, logging, the security triad (CIA), etc.
Why do we need it?
Well, we don’t necessarily “need” it but wouldn’t we all want to have great security practices?
When you think about it – in order to have consistent security across an organization; you definitely would want to have consistent practices (best practices).
How does one build consistency? By regularly following a set of rules or guidelines (ISO 27001 controls/control objectives). This is where a standard such as the ISO 27001 comes in. It not only focuses on helping one identify gaps but also looks at continuous improvement; thereby possibly closing any gaps one could have.
Is it worth it?
It depends on your needs, the needs of your organization, regulatory needs, legal needs, the culture within an organization and so on as it requires team effort.
Getting ISO 27001 certified shouldn’t be your end goal. Following industry best practices and focusing on continuous improvement should be what you are trying to achieve. The certification only provides assurance that the one holding the certificate indeed does follow best practices.