【TEJ Dictionary】 ISO 27001: Companies Can’t Be Without It in 2023

Nobody can predict whether a cybersecurity crisis will happen, but actually, there is a leading indicator can identify risky companies.

Source: Freepik

Preface

【TEJ Dictionary】How ChatGPT Expose Enterprises’ Achilles’ Heel

The previous article mentioned that AI-driven digital transformation presents more serious security challenges for companies, necessitating a information security management system (ISMS) to tackle evolving threats. Therefore, ISO 27001 has become an essential indicator for companies. In this article, we will introduce how ISO 27001 can help companies effectively avoid security risks, and provide an overview of the ISO 27001 of companies in Taiwan.

Keywords: Information Security, Cybersecurity, ISO, ISO 27001

Guidance

📍C. I. A. and PDCA
📍The Information Security Pass: ISO 27001
📍How’s ISO 27001 Effect？
📍The Status quo of Taiwanese companies

C. I. A. and PDCA

Data is a vital asset for enterprises. As cloud migration becomes increasingly popular, how can businesses ensure the security of their “vital asset”?
There are two things we need to understand: the three attributes of information security (C.I.A.) and PDCA cycle:

1. Confidentiality: The nature of the information that unauthorized individuals, entities, or processes should not obtain or disclose.
2. Integrity: The quality of ensuring the accuracy and completeness of information security.
3. Availability: The nature of authorized entities being able to access and use information when needed.

Meeting C.I.A. is the core value of enterprises achieving information security, but how can investors know whether companies have achieved this? This requires a third-party standard to investigate. Currently, the most popular standard is ISO 27001, based on the PDCA framework.

1. Plan: Set goals to manage security risks and establish principles and control measures to improve the security system.
2. Do: Implement the planned principles and control measures.
3. Check: Review and compare the actual implementation with the goals.
4. Act: Take action based on the differences identified in the check stage to improve the system further.

Businesses can utilize this cycle to review and optimize their ISMS, controlling risks to an acceptable level and assuring information C.I.A.

PDCA cycle of ChungHua Telecom. Source: https://www.cht.com.tw/en/home/cht/esg/customer-care/cybersecurity

Now, let me introduce the international information security pass: ISO 27001, how can it save companies from security risks.

The Information Security Pass: ISO 27001

ISO 27001 is an ISMS standard designed to help businesses identify, manage, and reduce various information risks. The standard was initially published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and was updated in 2013 and 2022. It covers the standards and specifications businesses need to implement an internationally recognized ISMS.

By obtaining ISO 27001 certification, businesses can demonstrate their equipment has passed strict ISO inspections. What’s more, certified companies are required to undergo reassessment annually. As such, ISO 27001 is an essential indicator for investors, international corporations, and governments in assessing security protection.

ISO 27001 consists of two parts: the main clauses and Annex A. The main clauses (standard) emphasize the necessity of acceptable levels of information security risk and establish a complete management cycle. Annex A (specification) provides 93 control measures, detailing risk control specifications for organizational, people, physical, and technological areas.

ISO 27001: 2022 4 Areas and the number of items below. Integrated by TEJ

Remember, ISO 27001 is more like a “conceptual framework” outlining the scope of controls a company should implement. On the other hand, ISO 27002 is a “guideline” that explains how Appendix A of ISO 27001 controls should be implemented in a specific manner. Note that neither ISO 27001 nor 27002 are mandatory; companies may decide whether to adopt them based on their needs.

How’s ISO 27001 Effect？

We know that everyone is most interested in whether obtaining ISO 27001 certification effectively prevents security risks for businesses.

Before answering that, let’s first understand the four benefits of obtaining ISO 27001:

1. Improving management efficiency
2. Reducing operating costs
3. Increasing the credibility of information security
4. Expanding into international markets

We want to highlight the (2. ) Reduction of operating costs. Because ISO 27001 will assess information security risks and develop responding measures in advance, indirectly reducing unnecessary operating expenses.

Applied to a real-life scenario, in the past three years, 50% of companies that experienced security incidents have yet to obtain ISO 27001. Although there is no significant correlation between the two, we still found via the TESG radar that these uncertified companies suffered greater losses in the aftermath of the incidents.

While obtaining ISO 27001 may not wholly prevent security issues, it can mitigate their damaging effects.

Source: Integrated from TESG Rating Bank

The Status quo of Taiwanese companies

TEJ has compiled the ISO 27001 status of Taiwan’s companies for 2023. Among all industries, the financial and insurance industry is prominent in obtaining ISO 27001, with 27 certified companies, achieving a certification rate of 79%. Additionally, Taiwan’s renowned manufacturing industry has a relatively high number of certifications but still falls short in certification rates, with only 9% and 7%, respectively, for the Semiconductor and Electronic parts and Component industries.

Source: Integrated from TESG Rating Bank

Due to the emergence of Fintech, hacker attacks, and cybersecurity issues have gradually received attention. Regulatory and various companies of financials have tried hard to practice security protection and even formulated regulations to strengthen their security governance.

Now, with the wave of industrial IoT formation, it is the manufacturing industry that has to face challenges. According to Dragos’s 2022 report, the manufacturing industry suffered 437 ransomware attacks last year. As investors, whether Taiwan’s manufacturing industry could stay away from security risks is our primary concern.

We cannot predict the crisis, but we can track whether a company obtains ISO 27001 to ensure the quality of companies’ security protection!

Read More Articles:

【TEJ Dictionary】What is ISO? Introduction of ISO9000, ISO14000, and ISO22000

— TEJ 台灣經濟新報

Want to know more?

TEJ TAIWAN DB → TESG Sustainability → TESG Sustainable Dataset → Society → Social ISO Certification
Follow the recent information security issue of Taiwanese companies through TESG Sustainable Dataset…

Follow the latest state of companies’ ISO 27001 through TESG Rating Bank

If you have any questions about this article or want to obtain further access to the TEJ database, please feel free to leave a comment, call, or mail us.

About us

⭐️ TEJ Website
⭐️ LinkedIn

✉️ E-mail： tej@tej.com.tw
☎️ Phone： 02–87681088

Your encouragement drives us to continue sharing more on TEJ Dictionary!
If you think this article is helpful, click the clap button until it hits 50 claps. You can also leave a comment and share any ideas with us.