ISO 27001:2013 is one of the most popular information security standards worldwide, recognised as the best practice framework for an Information Security Management System [ISMS].
ISO is the International Organisation for Standardisation and IEC stands for the International Electrotechnical Commission. IEC is a non-profit organisation that works independently of any government. Together the ISO and the IEC form a Joint Technical Committee [JTE], where Standards in IT and Information and Communications Technology [ICT] are developed and maintained.
Since ‘International Organization for Standardization‘ would have different acronyms in different languages, for example “IOS” in English for International Organization for Standardization, “OIN” in French for Organisation internationale de normalisation), the Founders of ISO decided to give it the short form “ISO”. ISO is derived from the Greek ‘isos’, meaning “equal”.
The history of ISO 27001 dates back to the British Standard 7799 that was published in 1995 and was originally written by the Department of Trade and Industry [DTI]. Later, ISO turned it into an internationally recognised, best-practice standard in the ISO 27000 Series in order to help organizations secure their information assets. The most current version of the standard is ISO/IEC 27001:2013, which incorporates changes made in 2017.
ISO 27001 helps reduce information security and data protection risks to an Organisation. Several ISO 27001 requirements fulfil those of Data Protection Act compliance and GDPR besides giving much greater information assurance overall. Implementing ISO 27001 confirms to regulatory authorities that your organisation takes the security of information seriously. It helps in identifying the risks as much as is reasonably possible to address them.
There has been much scaremongering around the potential fines for GDPR non-compliance, and an Information Security Management System [ISMS] helps in reducing the likelihood of security breaches. It enables organisations to react to them more quickly, and validate all the controls in place, so as to reduce the potential impacts of these security risks.
ISO 27001 is an internationally recognised ‘best-practice’ standard. It makes the people you want to work with feel safe and secure. It assures them that you will look after their valuable assets and information security. This assurance enables you to win new Customers and retain their existing business.
Why spend more money on information loss for your Customers, when it costs a fraction of that to be better prepared for the future anyway? Additionally, Customers increasingly seek assurance of data protection capabilities and information security management. Instead of unnecessarily adding to the ‘cost-of-sale’ for your organisation, it is better to hold an ISO 27001 certification and minimise the detail you need to provide to provide assurance to your Customers. Overall, you save time and money.
An organisation’s reputation is at stake if their systems are hacked and customer data is exposed and exploited. With an ISMS that conforms to the ISO 27001 Standard, an organisation can identify breach risks and prevent them before they happen. ISO 27001 helps boost your Company’s reputation and builds trust in the market
To achieve ISO 27001 certification, an organisation must meet all the core ISO 27001 requirements. One of the fundamental core requirements is to identify, assess, evaluate and treat information security risks. A risk management process will help determine which of the ISO 27001 Annex A Controls should be applied in the management of those security-oriented risks.
Some companies may choose not to take their Information Security Management System to certification, but simply align to the ISO 27001 standard. This may help meet internal pressures, but will deliver less value to key stakeholders externally, who increasingly look for an assurance that is certified by certifying bodies such as the United Kingdom Accreditation Service [UKAS].
Practically, there is very little difference between the 2013 and 2017 versions of the ISO 27001 Standard, except for a few minor points and a small name change.
The ISO version 2013 was not affected by the 2017 publication and the changes did not introduce any new requirements. The latest published version of the Information Security Management System standard is BS EN ISO/IEC 27001:2017. The changes made in 2017 were introduced to indicate approval by CEN/CENELEC for the EN designation (European Standard).
For those seeking a UKAS accredited ISO 27001 certification, UKAS is attributed to the ISO Standard so that there are no modifications that affect your certification status and therefore no additional transition activities are introduced by this revision.