ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). But what does that really mean? How different will your organisation be for having adopted the Standard, and what benefits does it provide?
We answer those questions and more in this blog.
What does ISO 27001 do?
The main objective of ISO 27001 is to create a comprehensive and efficient system for managing the data organisations collect and the threats they face.
This can be achieved by implementing an ISMS, which is a centrally managed framework that helps organisations manage, monitor and improve their information security in one place. It contains policies, processes and controls that are designed to protect the confidentiality, integrity and availability of data.
Confidentiality refers to the ability to make sure data is only accessed by authorised people, integrity refers to the accuracy and completeness of records, and availability refers to the ability to ensure data is accessible when required.
To ensure that information is protected across these fronts, organisations need to know the risks related to them. Some are obvious. For example, confidentiality can be breached if you leave records in an unlocked drawer in a part of the workplace where anyone can find them. The same goes for storing digital records on the organisation’s intranet.
However, other risks are harder to identify. Do you know exactly where you store information, and the records kept in each filing cabinet or computer folder?
The answer is almost certainly no, but you will do once you’ve completed a risk assessment.
ISO 27001 risk assessments enable organisations to identify where information is held and the security threats related to each location. They also determine the risks that cause the biggest issues, which in turn helps inform organisations’ decisions when selecting appropriate security controls.
The risk assessment process begins by noting every location where information is stored, and the type of information kept there. Then you must make a list of every way that information could be breached. Each of these risks is assigned a score based on the likelihood of the risk occurring and the damage it would cause. This is done with the help of a risk matrix:
For example, a risk that has a high probability of occurring but will cause a medium level of damage will score 6.
The aim of the scoring process is to help organisations prioritise the biggest threats. After all, they simply won’t have the time and resources to address every risk and must accept that some potential scenarios are not significant enough to justify addressing.
This might seem like a bad strategy, because it potentially means organisations are doing nothing to tackle risks that occur frequently, and although they don’t cause much damage, their regularity will inevitably be frustrating.
However, organisations always have the option to tackle the risk without adopting a security measure. This usually means avoiding the risk by adjusting the way they operate.
Even if it’s not possible to avoid a risk, prioritising risks is helpful because it means you can dedicate your efforts to incidents that can cause serious problems. This ensures that each risk is addressed properly and avoids the possibility of your defences failing.
That brings us on to what you should do with prioritised risks. The answer is to adopt security controls based on the best practices outlined in Annex A of ISO 27001.
Once you’ve determined which control is appropriate for each risk, you should consult ISO 27002 for a more in-depth explanation of how to implement each control.
Organisations should document the controls they’ve implemented and omitted in an SoA (Statement of Applicability). This, alongside a gap analysis, turns your ISMS from simply a one-off implementation of security controls into a framework for ongoing information security management.
The SoA documents the relevance of each control along with an explanation of why it has or hasn’t been selected. It should also state the organisation’s level of progress in implementing the control (which can be determined by conducting a gap analysis). This could be a simple ‘done/not done’ checkbox, or it could go into more detail, explaining whether a plan has been formalised, further guidance is needed, work has begun, and so on.
These documents should be reviewed regularly as you manage and monitor the effectiveness of your information security processes. They will also be vital whenever it comes to conducting a follow-up risk assessment (which should occur at least every three years or after any major organisational change).
Benefits of ISO 27001
We’ve already covered some of the benefits of adopting ISO 27001, but the Standard also:
- Secures your information in all its forms: An ISMS helps protect data in all its forms, including digital, paper-based and in the Cloud.
- Increases your resilience to cyber attacks: Implementing and maintaining an ISMS significantly increases your organisation’s resilience to cyber attacks.
- Provides a centrally managed framework: An ISMS provides a framework for keeping your organisation’s information safe and managing it in one place.
- Offers organisation-wide protection: An ISMS protects your entire organisation from technology-based risks and other, more common threats, such as poorly informed staff and ineffective procedures.
- Helps you respond to evolving security threats: Risks are continually evolving, but an ISMS reduces the threat by constantly adapting to changes both in the environment and inside the organisation.
- Reduces costs associated with information security: The risk assessment and analysis approach of an ISMS means organisations can reduce spending on defensive technology that might not work.
- Improves company culture: ISO 27001’s holistic approach covers the whole organisation, not just IT, and encompasses people, processes and technology. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.
Get started with ISO 27001
You can find out more about ISO 27001, including how to prepare for an implementation project, with our range of free resources.
Our guides, webinars, reports and brochures provide a wealth of information on how to get started with the international standard for information security.