ISO/IEC 27001 is the leading international standard focused on information security. This standard is published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.
ISO-27001 is part of the ISO/IEC 27000 series of standards developed to handle information security.
ISO 27001 was developed to help organizations, of any size or any industry, protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
The standard provides companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and prove to its customers and partners that it safeguards their data.
Individuals can also get ISO 27001 qualifications by attending a course and passing the exam and, in this way, prove their skills to potential employers.
ISO 27001 was developed to help organizations, of any size or any industry, protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
ISO 27001 is an international standard and is easily recognised all around the world. This global recognition increases business opportunities for organisations and professionals.
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorized persons have the right to access information.
- Integrity: only the authorized persons can change the information.
- Availability: the information must be accessible to authorized persons whenever it is needed.
These goals are achieved through the use of an Information Security Management System (ISMS). An ISMS is a set of rules that a company needs to establish in order to:
- identify stakeholders and their expectations of the company in terms of information security,
- identify which risks exist for the information,
- define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks,
- set clear objectives on what needs to be achieved with information security,
- implement all the controls and other risk treatment methods
- continuously measure if the implemented controls perform as expected,
- make continuous improvement to make the whole ISMS work better.
This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.
Implementing this standard helps an organisation to achieve four essential business benefits:
- Compliance with legal requirements
- Achieving competitive advantage
- Lower costs (through lowering the likelihood and impact of risks)
- Better organization (generally more process-driven, and more secure).
