ISO/IEC 27001

ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system).


Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected. The framework mandates (assumes) that an organization adopting ISO 27001 will have an Information Security Management System (ISMS). With that in mind, ISO/IEC 27001 requires that management will systematically manage the organization’s information security risks, taking into account threats and vulnerabilities.

The framework then requires the organization to design and implement information security (InfoSec) controls that are both coherent and comprehensive. The goal of these controls is to mitigate identified risks. From there, the framework suggests that the organization adopt a risk management process that’s ongoing. To get certified as ISO 27001-compliant, an organization must demonstrate to the auditor that it is using what ISO refers to as the “PDCA Cycle.”
 
The PDCA cycle is a business management method that focuses on 4 main steps that shoud continuously be implemented as change is considered in the company. The four steps are:

  • Plan — Means establishing the ISMS itself along with policies, objectives, processes, and procedures for risk management.

  • Do — Refers to implementing the actual functioning ISMS, including implementing InfoSec policies, procedures and so forth.  

  • Check — Involves monitoring and review of the ISMS, measuring process performance compared to policies and objectives.

  • Act — Is the process of updating and improving the ISMS. It may mean undertaking corrective and preventive actions, on the
                basis of internal audit and management review.

Companies and government agencies adopt ISO 27001 in order to get certified for compliance. Otherwise, it is a lot of work without much to show for the effort. ISO certifies compliance through the work of approved audit firms. A company goes through a process of applying for certification with ISO, which usually involves working with an experienced consultant who may then also act as the auditor and certifying authority.