Why is it important that Information Security Management Systems conform to ISO 27001?

The majority of organisations will generally now have a number of information security controls in place. However, without a formal Information Security Management System (ISMS), these controls tend to be somewhat disorganized, haphazard and disjointed.

The reason for this is that the controls have often been implemented partly as specific solutions for specific situations, or simply introduced as a matter of convention. Unfortunately, the security controls in operation today typically only address certain aspects of IT or data security, leaving non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. Sometimes business continuity planning and physical security might be managed independently of IT or information security, whilst Human Resources practices may not recognise the need to define and assign information security roles and responsibilities throughout the organization. The ISO 27001 standard was introduced to address these issues.

What is ISO 27001?

ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO 27001 can therefore be formally audited and certified compliant with the standard. ISO 27001 requires that management:

  • Systematically examines the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts.
  • Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
  • Adopts an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an on-going basis.

What benefits does ISO 27001 bring?

The business benefits from ISO 27001 certification are certainly considerable, according to UK security compliance consultants. Not only do the standards help ensure that a business’ security risks are managed cost-effectively, but the adherence to the recognised standards sends a valuable and important message to customers and business partners: it clearly sends out the message that this business does things the proper way. ISO 27001 is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system and will unquestionably give partner organisations and customers greater confidence in the way they interact with you.

  • ISO 27001 is the de facto international standard for Information Security Management
  • It demonstrates a clear commitment to Information Security Management to third parties and stakeholders
  • It can provide a framework to ensure the fulfilment of commercial, contractual and legal responsibilities
  • It provides a significant competitive advantage, and can effectively be a license to trade with companies in certain regulated sectors
  • It provides for inter-operability between organisations or groups within an organisation
  • It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.

The Krypsys approach to ISO 27001 compliance

Our approach in the majority of ISO 27001 engagements with clients is to firstly carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This provides us with a clear picture of the areas where companies already conform to the standard, the areas where some controls in place but there is some room for improvement and the areas where controls are missing and need to be implemented. For some organisations this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and project management for the implementation of suitable controls in order to qualify for the documentation that will be required to meet the standard, in preparation for any external certification.

If your business needs help with security compliance, penetration testing or web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].