ISO/IEC 27001 and the other ISO27k standards

ISO/IEC 27001 is an international standard specifying the requirements for Information Security Management Systems, in a succinct, formalized style that makes the standard amenable to conformity auditing and certification. The standard is generic and hence can be applied to all types and sizes of organization, in any industry, anywhere in the world.

A ‘management system’ is described by ISO as “the way in which an organization manages the interrelated parts of its business in order to achieve its objectives.” The approach is designed to feed managers the information they need to oversee, and the governance/management levers necessary to direct, the organization’s activities. As such, the standard stops short of mandating specific information security controls, leaving that to management’s discretion according to its determination of the organization’s information risks.

ISO’s standardized approach is common across its management systems standards such as ISO 9001 (quality management), ISO 14001 (environmental management) and ISO 22301 (business continuity).

Familiarity with any one implies a fundamental appreciation of any other. For example, they all incorporate the concept of continuous improvement, systematically responding to issues and driving maturity in ways that suit the organization's needs.

Information is core to ISO/IEC 27001, in particular risks to an organization’s own information (e.g. accounting data in its financial systems, its trade secrets, and the knowledge and expertise of its workers) plus other information in its care (e.g. personal details about employees, customers and business contacts, and intellectual property such as software licensed or provided by third parties).

Information security involves ensuring adequate levels of confidentiality, integrity and availability of information, protecting the associated systems, networks, services and processes. Maintaining information availability, for instance, is necessary for legitimately exploiting information for business purposes. Integrity covers aspects such as the completeness, accuracy and timeliness of information, and broader concerns such as trustworthiness and reliability. Confidentiality includes secrecy and is a major part of privacy.

Adopting ISO27k secures worthwhile business benefits such as:

• Protecting valuable information: more specifically, information security enhances the confidentiality, integrity and/or availability of the information content, plus the associated processes, IT systems, networks, services etc., while avoiding excessive security.
  
  
• Consistency: information security includes but extends beyond IT or cybersecurity, addressing risks to all forms of valuable information including intellectual property, proprietary information and personal information.
  
  
• Proportional control: determining how best to deal with information risks (e.g. how urgently, using which resources) depends on a sound appreciation of the nature and significance of those risks, hence risk identification, analysis and evaluation are fundamental.
  
  
• Reducing losses: effective, appropriate security controls minimize the probability and severity of incidents caused deliberately (e.g. hacks, frauds, disinformation) or accidentally (e.g. floods, equipment failures, misconfigurations, inadvertent disclosures).
  
  
• Governance roadmap: faced with bewildering possibilities, the ISO27k standards provide a rational, straightforward structure and approach for senior management to ensure that appropriate information security arrangements are put in place, used and maintained.
  
  
• Increasing assurance and trust: conformity and especially accredited certificaton demonstrates management's commitment towards good practices for information security, privacy, compliance, ethics etc. to interested parties such as the organization's customers, employees, partners, investors and the authorities.
  
  
• Achieving and maintaining compliance: various laws, regulations and contractual terms impose requirements on the organization regarding information security, privacy, accuracy, completeness, timeliness etc. These, along with other business/management requirements, are key objectives driving the ISMS.
  
  
• Enhancing resilience: adequately protecting the information, IT systems and processes that are vital to important operational activities and business objectives reduces the possibility of costly disruptive incidents, adverse publicity, customer defections etc. Cyber-crimes such as ransomware and extortion, for instance, are existential risks to any organization that is reliant on its own information systems, or that relies on suppliers, partners or customers that are IT-dependent – in other words, every organization.
  
  
• Focusing on priorities: using the risk assessment process, significant risks are prioritized for analysis and treatment, while information security controls that are of little to no value can be dropped, releasing resources for other more important things.
  
  
• Strengthening brands: aside from merely claiming to protect information, certified conformity with ISO/IEC 27001 enhances the organization’s reputation and is increasingly being demanded by discerning customers, partners, investors and regulators.
  
  
• Enabling the business: it would be reckless for the organization to run its financial and HR systems, operations, websites etc. without appreciating and limiting the associated information risks to tolerable levels. Information security is not just good for business, it is essential in today’s risky business environment.
  
  
• Proactive adaptation: the ever-changing threats, vulnerabilities and business impacts make information risk management a dynamic challenge. Failing to keep pace with the field means falling behind and being increasingly threatened.
  
  
• Continuous improvement: routine monitoring plus periodic reviews and audits feed back into the information risk management process, driving incremental updates and maturity through improved security, resilience, efficiency, assurance, compliance etc.

ISO/IEC 27001 was last revised in 2022, along with ISO/IEC 27002 (a structured catalog of information security controls) and ISO/IEC 27005 (about the process of managing risks to information). Other standards in the ISO27k series provide futher, more detailed guidance in related areas such as certification, governance, security metrics, cloud security, supply chain security and privacy. Taken as a whole, ISO27k is a well-rounded guide to good information risk and security practices.

Please search www.ISO.org for definitive information on the published standards, and browse www.ISO27001security.com for further details including an extensive FAQ, the ISO27k Forum and a business case paper you can customize to persuade your management to invest in an ISO27001 ISMS, for genuine business reasons. For camera-ready ISMS templates and assistance with any of this, visit www.SecAware.com or get in touch. How can we help?