ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organisations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard. ISO/IEC 27001 requires that management:
- Systematically examines the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts.
- Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
- Adopts an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.
Why is ISO 27001 so important and what business benefits does it offer?
The business benefits from ISO 27001 certification are considerable. Not only do the standards help ensure that a business’ security risks are managed cost-effectively, but the adherence to the recognised standards sends a valuable and important message to customers and business partners: this business does things the correct way. ISO 27001 is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system and will unquestionably give partner organisations and customers greater confidence in the way they interact with your business.
The benefits
- ISO 27001 is the de facto international standard for Information Security Management
- It demonstrates a clear commitment to Information Security Management to third parties and stakeholders
- It can provide a framework to ensure the fulfilment of commercial, contractual and legal responsibilities
- It provides a significant competitive advantage, and can effectively be a license to trade with companies in certain regulated sectors
- It provides for inter-operability between organisations or groups within an organisation
- It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.