Improve Your Enterprise Information Security through Compliance with ISO/IEC 27001
Information security is not optional, considering the statutory requirements for protecting the personal data of customers.
The implementation of an information security management system is necessary to reduce or completely eliminate the consequences of information security attacks and vulnerabilities on the enterprise. In so doing, the enterprise minimises the risk of disruption in quality services and improves the level of data integrity. Customers gain more confidence in transacting with the business online and the enterprise assets are safeguarded. Implementation of a property information security system also entails the setting of policies and procedures. A systematic approach is followed to keep company and customer information secure. As such, it is not limited to the technology. All the people and processes in the company form part of the risk profile.
The company, as part of the planning process, must set the policy and the scope for their information security management system, and perform a thorough assessment of all the risks that must be addressed. The company must also manage the various risks, set the control goals and the controls that must be in place, and then prepare the applicability statement.
The International Standard Organisation (ISO) developed the ISO 27001 standard for the development and implementation of an information security management system. Companies don’t have to become certified, but compliance certainly improves their security profile as the ISO 27001 ISMS improves management of the enterprise data and sensitive information for maximum protection against internal and external threats to the company data.
Following the systematic top-down approach of ISO 27001, enterprises can improve their coordination of efforts to address data threats. Certification helps the firms to show their conformance to the requirements of the international standard. It thus helps to increase customer and business partner confidence in an enterprise’s ability to protect their personal information.
Implementation holds the following benefits for the enterprise:
- Streamlining of business data operations.
- Protection against disruption of data flow and operations.
- Reduction in preventative measure costs.
- Improved confidence of business partners and customers in the enterprise’s integrity.
The employees of the enterprise also benefit from implementation:
- Confidence in their employer’s ability to meet data security legislative requirements.
- Proper access controls reduce the risk of data being shared without authorisation.
- Improvement in productivity because of business continuity.
The customers benefit from the protection of their personal data and this helps to build stronger relationships with the service providers or product suppliers.
Why the New Standard?
Changes in the data environment over the past few years necessitated the updating of the ISO 27001:2005 standard to include controls for managing areas such as cloud usage and data storage. The ISO/IEC 27001:2013 replaced the 2005 version. The standard is published by the ISO and the International Electro-Technical Commission called IEC.
The new standard consists of ten clauses, which include the scope and applicability of the standard. The standard can be applied to any size organisation regardless of the industry in which it operates. The second clause deals with the referencing of the standard, followed by the terms and definitions reused in ISO 27000. The fourth clause addresses the context and stakeholders, with the fifth clause focussing on leadership and top-level policy support.
The standard then addresses the planning of the ISMS and the risk assessment and treatment, followed by the section on support for such a system. Clause 8 deals with the requirements for making the system operational followed by the performance review and corrective actions to be taken. The changes in the standard have made it possible for managers who have worked with other ISO management systems to understand and work with the core principles of implementing the ISMS. Risk assessment, control, corrective action, internal auditing, policy development, and certification also form part of the other ISO-compliant management systems. This makes the integration of the various management systems easier.
Our Role
We provide a full range of services to help your organisation become and stay ISO 27001-compliant, including consultancy regarding the implementation of a compliant information security management system, training of personnel such as internal auditing, as well as understanding the requirements of the new ISO 27001. We furthermore offer GAP analyses, preparation for certification, auditing, and compliance maintenance services and expertise.