What is ISO/IEC 27001?
ISO 27001:2022 specifies the requirements for managing an Information Security Management System (ISMS) for businesses of all types and sizes.
The objective of ISO/IEC 27001 is to protect three aspects of information: confidentiality, integrity and availability. Overall it provides your company with the framework to protect your business’s reputation and secure customer data. In order to be certified to the ISO/IEC 27001 standard, a company must follow the requirements set forth in the ISO 27001 Standard. The current version of the standard is ISO/IEC 27001:2022.
Why ISO/IEC 27001?
Today, data is one of the most valued assets a business can acquire. Our growing dependence on information systems and services has created unprecedented threats to security, creating an urgent need for companies to keep data secure – whether that is for customers, staff or suppliers. Not only is data a value to your company, but as a growing topic in mainstream media, becoming ISO/IEC 27001 is a great way to protect your reputation.
A few details about ISO 27001:
ISO 27001 lays out the requirements of the information security management systems. There are several different documents within the ISO 27000 family of standards relating to information of cyber security, offering a comprehensive set of controls, allowing your organization to implement the best practice in information security. In most cases, entire organizations will seek certification, but the scope of the ISMS can be tailored to meet your organization’s specific needs, such as a specific department. The current version of ISO 27001:2022 was published in October of 2022 (thus the :2022). (Compare the 2013 version to the 2022 version here.)
- It does NOT matter what size your organization is: 1 person or 1 million people can still seek certification.
- It does NOT matter what industry you are in (service or manufacturing) – it can be a restaurant, consultancy, manufacturing company, government entity, etc.
- It is NOT a personal Standard – an individual cannot get certified to ISO 27001, instead an organization or company becomes certified. Individuals, however, CAN become an ISO 27001 Certified Lead Auditor after a 5 day training course. This then allows them to audit other companies.
- There is no such thing as “ISO Certification” or “ISO 27000 Certification”, only ISO 27001 certification.
- It is NOT a membership group – An organization cannot “join” ISO 27001. To become ISO 27001 certified, your organization must:
- Follow the steps to implement an ISO 27001 information security management system.
- Then a Certification Body (CB or Registrar) audits the performance of your organization against the latest version of the ISO 27001 Requirements. If you pass this audit you will be certified for a three year period.
- Following certification, annual assessments will be required.
- Finally, the organization must be recertified every three years in order to maintain their ISO 27001 certification status.
The Definition of ISO/IEC 27001 Certification
“ISO 27001 Certified” means an organization has met the requirements in the ISO 27001 standard. ISO 27001 evaluates whether your information security management system is appropriate and effective, while forcing you to identify and implement improvements to guarantee its integrity.
Continuous improvement assures your customers that your company is consistently monitoring and improving its performance. Internally, the organization will profit from increased job satisfaction, improved morale, increased trust and improved operational results.
Some Helpful Resources:
History of ISO/IEC 27001
ISO/IEC 27001 was established in 2005 after the increase in demand for adequate security controls to protect information assets and give confidence to interested parties. Originally, ISO 27001 was jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005.
ISO 27001:2005 was based on BS 7799, which was a standard originally published by BSI Group in 1995.
After BS 7799 was established and a lengthy conversation took place in the worldwide standard bodies, it was eventually adopted by ISO as ISO/IEC 17799- Information Technology- Code of practice for information security management. After further revision, it was renamed ISO/IEC 27002 in 2007. ISO 27002 provides additional guidance to implement security controls recommended in ISO 27001.