It’s often stated that knowledge is power. In today’s digital world, however, it’s information that governs power and success, particularly in a business context. Information is one of, if not the most, valuable assets that any business owns. Unfortunately whilst many organisations are practiced at gathering information, they are rather less adept at organising and securing this critical information. Many organisations and businesses will undoubtedly have some form of controls in place to control information security, but they tend to be erratically managed and are often introduced to address specific problems. Whilst such targeted solutions might address specific issues, they will inevitably fail to address other critical IT and data security issues and can often leave valuable non-IT information assets like paperwork and proprietary knowledge less protected and therefore vulnerable. The ISO/IEC 27001 standard was introduced to address these issues, and introduce a more formalised and structured standard for the management and control of security information.
What is ISO 27001?
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. As it is a formal specification it mandates specific requirements. Organisations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard. ISO/IEC 27001 requires that management:
- Systematically examines the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts.
- Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
- Adopts an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.
Why is so important for your business to comply with the ISO 27001 standard
The benefits and advantages of ISO 27001 business certification are considerable. Not only do the standards help ensure that a business’ security risks are managed cost-effectively; adherence to the recognised standards also sends a valuable and important message to customers and business partners. It tells stakeholders that the business does things the correct way. ISO 27001 is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system and will unquestionably give partner organisations and customers greater confidence in the way they interact with your business.
- ISO 27001 is the de facto international standard for Information Security Management
- It shows third parties and stakeholders that the business is clearly committed to Information Security Management.
- The ISO 27001 standard provides a framework to ensure the fulfilment of commercial, contractual and legal responsibilities
- ISO 27001 provides a significant competitive advantage: in certain regulated sectors it can effectively be a license to trade with companies
- It provides for inter-operability between organisations or groups within an organisation
- It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.
How does Krypsys approach ISO 27001 compliance
In the majority of our ISO 27001 engagements with clients Krypsys will initially carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This analysis provides us with a clear picture of the areas where companies already conform to the standard, the areas where there are some controls in place but there is room for improvement and the areas where controls are missing and need to be implemented. For some organisations this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and project management for the implementation of suitable controls in order to qualify for the documentation that will be required to meet the standard, in preparation for any external certification.
For information on how to comply with ISO 27001, help with penetration testing or web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected]