Over the past few months more clients are asking me what is ISO 27001 and what are the benfits of implementing an Information Security Management System based on the standard?
ISO 27001 is a vendor and technology neutral internationally recognised standard which provides companies with a risk based approach to securing their information. It provides organisations with independent third party verification that their Information Security Management System meets an internationally recognised standard. This provides a company, and its customers and partners, with the confidence that they are managing their security in accordance with recognised and audited best practises.
However, in my opinion companies that have implemented an ISO 27001 based ISMS can demonstrate many efficiencies and other benefits such as;
- Increased reliability and security of systems:
Security is often defined as protecting the Confidentiality, Integrity and Availability of an asset. Using a standards based approach, which ensures that adequate controls, processes and procedures are in place will ensure that the above goals are met. Meeting the CIA goals of security will also by default improve the reliability, availability and stability of systems.
- Increased profits:
Having stable, secure and reliable systems ensures that interruptions to those systems are minimised thereby increasing their availability and productivity. In addition to the above, a standards based approach to information security demonstrates to customers that the company can be trusted with their business. This can increase profitability by retaining existing, and attracting new, customers.
- Reduced Costs:
A standards based approach to information security ensures that all controls are measured and managed in a structured manner. This ensures that processes and procedures are more streamlined and effective thus reducing costs.
Some companies have found they can better manage the tools they have in place by consolidating redundant systems or re-assigning other systems from assets with low risk to those with higher risk.
- Compliance with legislation:
Having a structured Information Security Management System in place makes the task of compliance much easier.
- Improved Management:
Knowing what is in place and how it should be managed and secured makes it easier to manage information resources within a company.
- Improved Customer and Partner Relationships:
By demonstrating the company takes information security seriously, customers and trading partners can deal with the company confidently knowing that the company has taken an independently verifiable approach to information security risk management.
ISO 27001 can be implemented within an organisation as a framework to work against or indeed the organisation can seek to gain certification against the standard.
If you are serious about information security and need to know “how secure is secure enough?”, then I strngly recommend you get a copy of the standard with a view to implementing it.