Why Are So Many Organisations Certifying to ISO 27001?

What do Microsoft, Verizon, Apple, Google, Intel, and Amazon have in common?

As well as all being Fortune 500 companies, they are all ISO 27001 certified. With a global growth rate of 20%, ISO 27001 has become the de facto standard for information security management system certifications.

Why are so many organisations getting certified to ISO 27001?

Data breaches and cyber attacks are, unfortunately, becoming a regular occurrence. According to research from the Identify Theft Resource Center, there were 1,864 security incidents in 2021.

That’s a 68% increase over the previous year, and as organisations become increasingly reliant on technology, the number of incidents will continue to rise unless information security is sufficiently prioritised.

Organisations that have already certified to ISO 27001 understand the benefits of the framework, but for everyone else, it’s true potential is yet to be seen.

How ISO 27001 helps

ISO 27001 sets out a best-practice approach to cyber risk management that can be adopted by all businesses, large or small.

The Standard outlines three essential aspects or ‘pillars’ of effective information security: people, processes and technology.

This three-pronged approach helps organisations defend themselves from both highly organised attacks and common internal threats, such as accidental breaches and human error.

ISO 27001 certification brings a wealth of benefits. For example, it helps organisations:

  • Avoid penalties and financial losses due to data breaches.
  • Meet increasing client demands for greater data security.
  • Protect and enhance your reputation.
  • Get independently audited proof that your data is secure.

Plus, as organisations look to address their wider information security requirements, there is the small matter of the GDPR (General Data Protection Regulation) to contend with. Again, ISO 27001 can help.

Its framework overlaps with the GDPR in several places, most notably in Article 32, which states that organisations must:

  • Take measures to pseudonymise and encrypt personal data.
  • Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

Article 32 also mandates that organisations address risks that could lead to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data”.

An effective ISMS (information security management system) that conforms to ISO 27001 will meet all these requirements. This ensures that organisations comply with the GDPR in the most efficient way possible, with their compliance practices embedded within their overall information security measures.

A new standard

A new version of ISO 27001 was published in October, introducing several adjustments in the way organisations are expected to manage information security. 

There are new requirements related to planned changes and how organisations should deal with them, as well as a greater focus on the needs and expectations of interested parties. 

However, the most significant differences in ISO 27001:2022 relate to its structure. There is new terminology, the 14 clauses are gone and the total number of controls has decreased from 114 to 93. 

If organisations going to maintain ISO 27001 compliance after the transition period, they need to understand how these changes affect them and the steps they must take to meet their requirements. 

With the Standard only being a few months old, there is little guidance on how the new requirements will affect organisations and the best way to implement the changes.

Fortunately, information security management expert Steve G Watkins has summarised the essential guidance in his new book: ISO/IEC 27001:2022 – An introduction to information security and the ISMS standard.

This pocket book is intended to help organisations make informed decisions before embarking on their ISO 27001 implementation project, while also ensuring that non-specialists on the project board and in the project team have a clear understanding of what an ISMS involves. 

The book also ensures that staff know what is at stake with regard to information security and understand what is expected of them, and gives you confidence to begin your ISO 27001:2022 implementation journey. 

A version of this blog was originally published on 18 March 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.