Many people have heard about ISO27001, the international standard for Information Security, but whilst many see it as a burdensome and difficult thing to do, it’s worth remembering that whilst it does require a level of documentation and record keeping the principles behind these numbers are very simple.
If you’ve never looked at the standard before you would be forgiven to think that it’s all about technology. But in fact it’s only the controls that you put in place which are influenced by technology. ISO27001 is all about the ‘system’ of managing your Information Security, not about the technology itself. If we take a look at the standard headings we can see this clearly:
- Context of the organisation – Describe your operating environment and risks associated with it.
- Leadership – Can you demonstrate that there is clear leadership and drive to develop a culture of security?
- Planning – Have you put in place plans to develop, maintain and continually improve a security programme?
- Support – Can you provide evidence that you have adequate resources in place to support your management system?
- Operation – Can you provide evidence that risks and issues related to information security are being assessed across your operation?
- Performance evaluation – How do you know your security programme is being effective? Do you have some way to evaluate it?
- Improvement – When you spot something going wrong with the security management programme do you have a process to learn the lessons and improve it?
Implementing an effective information security management system (ISMS) takes effort. But more than anything it requires commitment and leadership. The benefit of implementing an effective ISMS is that it quickly becomes a ‘trust mark’ and a ‘code of conduct’ for the way you treat data. And in a world which is obsessed with the how and the why of using data, having ISO27001 in place means you can show that you’re a company that can be trusted.