Our experts will answer on a weekly basis to a specific question about ISO 27001. Discover below the first chapter: What does ISO27001 certification really mean?
Our ISO 27001 chapters
The standard
ISO 27001 is an internationally recognized standard that specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system (ISMS) within the context of the organization’s business activities and the risks it faces. It is part of a family of international ISMS standards that provides benefits to organizations worldwide by enhancing information security in today’s risk pervasive environment.
History and evolution
The ISO27001:2013 is the evolution of previous 2005 version which itself is a revised and updated version of the hugely successful British Standard BS 7799, Part 2, and integrates the process-based approach of ISO 9001:2000 and ISO 14001:2004. As for all standards, ISO 27001 is systematically reviewed every 5 years. It is currently under review from the various bodies and updated version to be released soon.
The Certification
A certification is performed by external accredited and respected certification bodies. It is not performed by ISO itself (they “only” produce standards and provide guidance). Obtaining a certificate by such body means that your information security management system is conforming with the ISO 27001 standards requirements on a specific scope of your organization or on the entire organization.
ISMS and continuous improvement
An information security management system is implemented to maintains the confidentiality, integrity and availability of information. This will include the information of the organization itself, as well as its customer information and other interested parties. It is designed as a lifecycle process that continuously manages risks in an ever-ending threat and vulnerability change landscape.
Industry and size of the business
This standard is applicable to small, medium and large organization. It is meant to be flexible enough to integrate with existing management system and allows organization to adopt various risk management approaches.
It is nowadays being integrated within business strategies from organizations in most industry sectors, including telecommunications, finance and insurance, utilities, retail and manufacturing, service providers, healthcare, police and emergency services, universities, government departments and agencies.
Mandatory
ISO 27001 certification is nowadays not mandatory. Nevertheless, as regulations and compliance obligations continuously increases (i.e. with the recent GDPR, eIDAS, NIS, other specific sector-based regulations), regulators, customers and other interested parties are strongly recommending ISO 27001 certification as an evidence to demonstrate their commitment to protect sensitive information. ISO 27001 is more and more often included into acceptation criteria for businesses applying to private and public tender.
As such, Approach recommends all businesses to implement an information security management system as a minimum. The certification path should be seen as the little extra mile that will bring tremendous return on that investment.
This article has been proposed by Laurent Deheyer, GRC Consulting Director.
You may find more information by visiting https://www.iso.org/standard/54534.html