ISO 27001 told by the company that owns it
What exactly is the ISO 27001 Certified Information Security Management System and what standards must be met to obtain it? Does it really bring real value to the information market and why do the largest financial institutions, such as banks, attach so much importance to it?
Enjoying the Transparent Data’s fourth successive ISO 27001 audit, we reveal some major and minor secrets of this international standard:
- What ISO/IEC 27001 is and who established it
- Why is it said to bring value to the information market
- Why it is worth checking whether the company that provides us with data or processes our data has it
- TOP ISO 27001 Q&A for companies that are wondering whether to get it (among others, what is the most difficult part of the entire certification process)
- 4 key steps of the entire process of applying for an ISO 27001 certificate.
What exactly is the ISO/IEC 27001 Certified Information Security Management System?
Generally speaking, the Information Security Management System (ISMS) compliant with the international ISO/IEC 27001 standard is a set of rules defining the introduction and improvement of an independently assessed risk identification system and a precise security system in a company in all areas of activity.
This international, globally respected certificate and the requirements for obtaining it have been established by the International Organization for Standardization (ISO), which is currently the world’s largest non-governmental organization establishing business standards, and the International Electrotechnical Commission (IEC), which is the most well-known global technology standards development organization. The standards prepared by these bodies form the basis of national standards and the reference for international contracts and tenders.
Meeting the ISO/IEC 27001 standard proves the highest protection of all business and confidential data, and thus minimizing the risk of unauthorized access to them.
Obtaining this certificate ranks next to the largest companies on the global market. This is a special distinction, because there are still few companies dealing with the provision of economic and business information or the implementation of tools supporting the analysis of information for business can boast of meeting this standard.
What value does ISO 27001 bring to the information market?
When we think about supporting our own business with external business information, what we take into account in the first place is its timeliness and credibility. Nobody needs outdated information since there is a newer, changed version of it. Guesses, opinions, unreliable data are not something on which we want to base our decisions.
If we carefully consider the procedure for purchasing company information, we will quickly come to one more conclusion — it is not only important what we buy, but also from whom. How information is stored, who has access to it, and how it is protected against unwanted leakage is equally important. Let us recall, for example, this year’s high-profile data breach of personal data of Zoom’s customers.
Let’s say it again:
who we buy information from matters.
This is one of the reasons why the most powerful institutions, such as banks decide to cooperate only with enterprises certified by ISO/IEC 27001 standard.
ISO 27001 from the perspective of the company that has it: TOP Q&A
What does obtaining ISO/IEC 27001 certification mean in practice? How does it affect business operations?
The very process of obtaining compliance with the standard brings considerable value to the internal processes of the company, its mission and goals — it allows to organize the applied practices and supports the development of good habits of taking care of information security by the company’s employees at all levels.
As the only such standard, it also allows to verify whether the solutions adopted by the company really stand at the highest level or whether the security system should be improved. Such knowledge is always valuable for a development-oriented company.
Externally, however, obtaining ISO 27001 opens the door to cooperation with the most demanding clients, such as banks or global corporations. In other words, it positively influences the growth of customers’ trust and the company’s credibility on the market.
If the value of the ISO 27001 standard contributes to the increase in customer confidence and the company’s credibility, why do so little companies providing information not apply for this certificate?
The procedure for obtaining ISO/IEC 27001 is long, complicated and requires the company to meet very precise requirements regarding the risk identification system and the security of economic, business and confidential information. A certified Information Security Management System is commonly associated with many months of preparation and training, which is why most companies believe that it is only available to the largest players with substantial capital and hundreds of employees.
Whether small and medium-sized companies can also obtain ISO 27001 certification?
Yes, and we know it from our own experience. In Transparent Data we don’t have hundreds of employees and still we managed to break the stereotype that size matters. We are a relatively small data software house, but in return are very agile and fast, therefore, despite the increased number of obligations that fell on us along with the preparation for the certification audit, we went through the entire procedure smoothly.
How long is ISO 27001 certification valid?
Standard 3 years, but at least once a year the certification body comes to the company to re-check both compliance with ISO 27001 standards and whether the company really strives to improve the systems. Unlike most other standards, this one is therefore unique. The work does not end with obtaining it. You still have to be prepared to keep it.
Is it difficult to meet international information management security standards? Is ISO 27001 related to the implementation of complicated procedures?
If you are a company that has been operating on the market for many years and has large, demanding customers in its portfolio, then most of the security procedures are already in practice, and if not, their implementation will not cause you much trouble. At least that was our case. As a data provider, we had to improve our procedures more than once or twice to meet the very high security requirements of financial institutions long before proceeding with ISO/IEC 27001 certification. That’s why implementation was not particularly difficult for us.
The whole experience, however, turned out to be very valuable from the point of view of organizational culture — we have already done many things before ISO 27001, but only seeing them written in the form of requirements made us fully aware of why we do it. As an organization, we have definitely benefited from it.
What is the most difficult part of the entire ISO 27001 certification process?
We probably shouldn’t talk about it aloud, but let’s be transparent — the most difficult part is the formal part, i.e. piles of documents waiting to be filled in. Unfortunately, you should reserve a few weeks for this activity and remember that each change in the company, even if it is a trifle like replacing a computer, requires filling in not one additional document, but a full folder of documents.
Are there any specific policies that define the standard of information security management?
The most important thing that needs to be developed is the Integrated Management System Book, which defines the entire scope of obligations that must be met in order to comply with the ISO standard. It contains the entire list of procedures, instructions, policies, company resources and management responsibility charts.
Next we have, among others, The Information Security Policy, which defines the scope of responsibilities and obligations related to the processing of personal data (eg duties of the Information Security Administrator, IT Systems Administrator, Integrated System Management Representative and other employees of the company). It also describes what types of data we manage as a company, in which systems they are processed or what data sets we are the controller of.
Other main policies include, for example, the Business Continuity Management Policy, which aims to guarantee the stability of work in the field of information processing. It must include, among others scenarios of conduct in the event of a cyber attack, system failure, power failure, fires, disasters, absence of key employees or loss of assets important to the company.
What does the whole process of applying for an ISO 27001 certificate look like?
The entire process of applying for an ISO 27001 certificate can be divided into 4 key steps:
- What you need to do at the very beginning is a thorough study of the requirements contained in ISO 27001, and then analyze all documents that the company already has in terms of them. If we find deficiencies or inconsistencies, we have to adjust our internal policies to an international standard and edit or create new documents.
- The next step is to train all employees and the entire management staff in the policies in force in ISO/IEC 27001 standard. This requires, of course, the appointment of appropriate people in the company, who will be responsible for the project from A to Z.
- Only then can you start implementing the necessary security systems, and they must “work” in the natural everyday environment of the company for a minimum of several months, and whether they really work should be confirmed by an internal audit, which means that someone in the company must be a certified auditor internal or obtain applicable permissions.
- If we have already completed the creation of all documentation, employee training and in practice we actually comply with the indicated standards, only then do we have the green light to start official efforts to obtain a certificate. We then need to find an external management systems certification body and be ready for an independent external audit. It is only after this formal assessment that the company receives the certificate.
The real value of ISO 27001 in business (client perspective)
To explain the importance of the 27001 standard in the area of company data, we can compare companies providing Business Information to mints. Each company supplies the market with economic information, i.e. gold. These more conscious companies try to increase the security of their customers and their own by taking special precautions, such as protecting the convoy or additional security locks. ISO 27001 in this comparison is a special unit and a 15mm thick chain with three padlocks — one for the combination, the other for the fingerprint and the third for what you just ate for breakfast.
You might also like:
