Simply put, ISO 27001 is about information security, and how you manage it in an ever-changing world. You're not only having to contend with the effects of digitisation, big data and the Internet of Things, but the growing demands of globalisation, regulation, and protection against cyber threats.
What ISO 27001 gives you is a best-practice method of implementing an information security management system (ISMS). Having this system in place, and achieving ISO certification, means you can demonstrate to your customers and partners that you're committed to information security. And you'll have an advantage when it comes to winning tenders with government clients or large corporate clients, who often demand that their suppliers comply with the standard.
Already in 2017, several large organisations – the NHS, Wonga and Three, to name a few – have fallen victim to serious security breaches. The Government's Cyber Security Breaches Survey revealed that 7 out of 10 large businesses had suffered some form of breach or attack, costing them, on average, around £20,000, and in many cases much, much more.
So how exactly does ISO 27001 help you to more effectively manage your information security? And what does implementing an ISMS actually entail?
Managing information security means preserving the confidentiality, integrity and availability of your information and the facilities you use to process it. That could be your IT systems, infrastructure, or the actual buildings in which your organisation is based.
|Confidentiality||Ensuring information isn't made available to people or organisations who don't have authorisation to see it|
|Integrity||Ensuring the information is both accurate and complete|
|Availability||Ensuring the information can be made available and used when an authorised person or organisation demands it|
It might be that you've been so focused on keeping information confidential that you've overlooked integrity and availability. You're not alone! But now IT and digital data are – or are likely to become – such vital elements of your business, you need to be mindful of all three aspects.
And this is where an ISMS comes in.
It's a system of processes, documents, technology and people that helps to manage, monitor, audit and improve your information security. With an ISMS you can manage all your security practices consistently and cost-effectively.
But it's important not to see information security as solely your IT team's responsibility – 'information' isn't just confined to your computer files and IT networks. Information security must be a concern of your entire organisation, embedded in all practices, policies and procedures and communicated clearly to every employee.
And as is the case with all quality management systems, without buy-in from top management and the people who'll implement and maintain the system, you'll likely struggle to reach the level of diligence you need to achieve certification to the ISO standard.
Bear in mind that it's neither a quick nor temporary process. Embedding ISO 27001 practices into your organisation is complicated, and involves making often substantial changes to your strategy, operations and company culture. If you're a small business, you may need 4–5 months to prepare for an audit; larger organisations might need more than a year. And don't rest on your laurels: you're operating in a rapidly changing business environment, and your ISMS must continually evolve and improve to remain effective.
What you should do now
For more information about ISO 27001, download our toolkit.