The Three Great Fundamentals of ISO 27001 | The Centauri Step, Governance and IT Security
The Three Great Fundamentals of ISO 27001
Security once seemed to be just about a pebble in the shoe of IT: for example, it was necessary to be user-oriented at all costs, or to simplify the work of developers.
Over the last ten years, the mass digitalization of much of the economy has accelerated the widespread interconnection of IT systems. Coupled with this, complex geopolitical issues – in particular state intervention – and the growing power of networks and cloud computing have led to a general sense of insecurity.
This is where the ISO 27001 standard comes on the scene like a breath of fresh air.
1) An NGO initiative
Few people give thought to how international standards come into being, but more really should. ISO is a Swiss-based NGO which was founded in the post-war years. It is an entirely independent body which aims to standardize practices through consensus and provide solutions to global challenges.
The International Organization for Standardization decided to abbreviate itself as ISO. “ISO is derived from the Greek ‘isos’, meaning equal. Whatever the country, whatever the language, the short form of the organization’s name is always ISO.”
With 165 countries, each represented by a delegate, it seems somewhat like the UN! Its influence, for that matter, is well proven.
ISO has contributed to progress in all of today’s essential matters, such as food safety, credit cards, the environment – and information security!
A few examples include:
– ISO 9001 standard for Quality
– ISO 14001 standard for the Environment
– ISO 22000 standard for Food Safety
– ISO 27001 standard for Information Security
– ISO 45001 standard for Occupational Health and Safety.
2) A common language
Simply put, having a common language for managing security, is beneficial when IT systems are interconnected. The concerns shared by many IT stakeholders justified the bringing together of leading experts and the development of an international standard to enhance IT security norms.
Inspired by existing business methods – like for quality – ISO 27001 is based on an all-encompassing approach and a focus on continuous improvement. Taking a similar approach and to avoid going into too much tedious, expert-level detail here, we shall refer here to ISO 27001 as a standard in the singular – though, in reality, we mean the whole family of standards that are derived therefrom and that set out its specific applications.
Enabling organizations to improve by implementing high levels of good practice requires an orchestra conductor, and like in other aspects of business, this orchestra conductor is called a “management system”. The information security management system or ISMS connects all the hottest security issues of any business.
3) Demanding goals
Just to give an overview, some of the security topics covered by ISO 27001 include access, firewalls, development, encryption, remote access, and the cloud. In fact, there is a list of no less than 114 different controls. The standard also deals with HR, training, corporate governance, physical security and risk analysis.
Of course, an organization may choose to apply security standards to a specific area only. Yet, no matter how small this area, it is highly likely that its security procedures are also applicable to the rest of the organization.
What to remember: the information security management system (or ISMS) is the orchestra conductor : for all security-related topics as it provides a top-down approach (i.e. from all applicable and updated procedures to their specific applications), with constructive goals for continuous improvement. The ISO standard is a rich and flexible standard, which is constantly being improved. Your ISMS allows you to map out where you want to go, because as Seneca said to Lucilius in c.63 AD: “If one does not know to which port one is sailing, no wind is favourable”.
You must still of course ensure that there is a real motivation to implement ISO 27001, without seeking superficial compliance at any cost. Ticking boxes is not enough. Achieving ongoing collaboration between management and technical teams requires an absolute commitment and a long-term effort.
To be continued…