Our experts will answer on a weekly basis to a specific question about ISO 27001. Discover below the first chapter: What does ISO27001 certification really mean?
The standard
ISO 27001 is an internationally recognized standard. It defines the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS). The standard aligns with the organization’s business activities and addresses the risks it faces. It is part of a family of international ISMS standards that provides benefits to organizations worldwide by enhancing information security in today’s risk pervasive environment.
History and evolution
The ISO27001:2013 is the evolution of previous 2005 version which itself is a revised and updated version of the hugely successful British Standard BS 7799, Part 2, and integrates the process-based approach of ISO 9001:2000 and ISO 14001:2004. Like all standards, ISO 27001 undergoes a systematic review every five years. It is currently under review by various bodies, and an updated version is expected to be released soon.
The ISO 27001 Certification
External accredited and respected certification bodies perform the certification. ISO itself does not conduct certifications; it only produces standards and provides guidance. Obtaining a certificate by such body means that your information security management system is conforming with the ISO 27001 standards requirements on a specific scope of your organization or on the entire organization.
ISMS and continuous improvement
An information security management system maintains the confidentiality, integrity, and availability of information. It protects the organization’s data, customer information, and data from other interested parties. Designed as a lifecycle process, it continuously manages risks in an ever-changing threat and vulnerability landscape.
Industry and size of the business
This standard applies to small, medium, and large organizations. It integrates flexibly with existing management systems and enables organizations to adopt various risk management approaches.
Organizations across industries, including telecommunications, finance, insurance, utilities, retail, manufacturing, healthcare, and government, now integrate it into their business strategies.
Mandatory
ISO 27001 certification is nowadays not mandatory. Nevertheless, as regulations and compliance obligations continuously increases (i.e. with the recent GDPR, eIDAS, NIS, other specific sector-based regulations), regulators, customers and other interested parties are strongly recommending ISO 27001 certification as an evidence to demonstrate their commitment to protect sensitive information. ISO 27001 is more and more often included into acceptation criteria for businesses applying to private and public tender.
As such, Approach recommends all businesses to implement an information security management system as a minimum. The certification path should be seen as the little extra mile that will bring tremendous return on that investment.
