What is ISO 27001:2013?

ISO/IEC 27001 is the international standard for Information Security Management Systems, or ISMSs. The ISO 27001 is recognized globally for managing risks to the security of information you hold.

ISO27001 is part of the ISO27000 family of standards which also includes a significant number of supporting guidance documents such as ISO27002 and ISO27005. But if you want your organization to become certified, it’s ISO27001 specifically that holds the requirements you have to meet.

The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.

So, what is an Information Security Management System?

An ISMS is a set of processes that together help an organization to manage their information security by assessing their risks and taking action to reduce them. The management system is simply a set of things you must do to keep on top of your information security, and the main components are:

• Information security policy – what are your rules on keeping things secure?
• Objectives – what are you trying to achieve?
• Risk assessment and treatment – what could go wrong and how can you stop it?
• Roles and responsibilities – who does what in your ISMS?
• Competence – does everyone have the skills they need?
• Awareness training – does everyone think information security?
• Monitoring and measuring – quantifying what’s going on.
• Internal audit – independent checks that it’s all happening as it should.
• Management review – keeping everything under control.

Why do we need it?

Information security is a business problem, not an IT problem. Risk-based approaches are vital for modern information security effectiveness.
There are many ways to achieve security risk management, so a good standard like ISO 27001 puts formalities in place to ensure the right thought processes were followed and captured when the inevitable breach is realized

What industries implement ISO 27001?

ISO 27001 Certification is suitable for any organization, large or small, in any sector. The standard is especially suitable where the protection of information is critical, such as in the banking, financial, health, public and IT sectors. The standard is also applicable to organizations which manage high volumes of data, or information on behalf of other organizations such as data centers and IT outsourcing companies.

Can I achieve the same processes without certification?

Many organizations do follow the same process to achieve their security objectives without ever certifying, however certification is the formal proof that the standard has been integrated. Understanding the standard in enough detail to appropriately apply it is necessary if you want to be truly effective.

Why is ISO 27001 over other standards such as NIST?

The ISO 27001 standard is flexible enough to be adopted for all industries and maturities. It can be integrated at many layers to ensure both security and compliance.

Contact Us

cybercomply provide a range of ISO 27001 Consultancy Services from ISO27001 Gap Analysis through on-site ISO 27001 Certification Audit Support, our ISO 27001 Consultants work collaboratively with you throughout the entire ISO 27001 certification process.

We also provide a variety of ongoing Managed ISMS services to our successfully certified clients, often participating in Information Security Risk Assessments, supporting Internal ISMS Audits, external visits and other activities.

Get in touch with one of our ISO 27001 experts and let us know what your business needs.