What is ISO 27001, and why should you care?

If you deal with important information, you need to check out ISO 27001 so you can set a good baseline for your data security.

With your plant data in the cloud, marketing strategy on your local server, invoice processing through an ERP system, employee data in the human resource safe, and NDA with Big-Company Inc. in the CEO’s inbox, your company handles a lot of valuable information that needs protection.

You don’t want your marketing plan posted on a forum or your ERP-system down for hours or unauthorized access to your bank account, right?

Today we’ll talk about how ISO 27001 works and how it can secure your information assets.

What is ISO 27001?

The International Organization for Standardization is a non-governmental global organization which brings together experts to develop international standards for the market. Amongst ISO’s more than 23,000 published standards, the ISO 27001 has gained massive importance in the certification world.

Previously Published ISO-surveys show worldwide ISO 27001 certification increasing roughly 20% per year since 2006.  In 2018, almost 60,000 sites had ISO-27001 certification.  

So what is it?

ISO 27001:2013 defines the requirements for creating, maintaining, and improving an information-security management system (ISMS). This standard provides rules and processes to manage your ISMS:

•      Definition of key roles, like information-security manager

•      Structured risk-management methodology for assets

•      Processes for evaluation and creation of internal information-security instructions

•      Tools for ISMS surveillance – audits, penetration testing, KPI monitoring, etc.

•      Criteria for handling security issues (incident management)

•      Requirements for training and awareness

•      Recommended actions to improve security

The last one is critical! Not only do you get requirements for the ISMS, you also get a to-do list of information security actions, called controls.

Annex A of ISO 27001:2013 has a list of 114 controls, grouped in 14 categories. These controls establish a baseline security level against which you can challenge your operations, buildings, suppliers, and more.

And best of all, it covers way more than your company’s IT department! You can plug every gap against external attacks if you implement these measures:

• Information-security policies

• Organization of information security

• Human-resource security

• Asset management

• Access control

• Cryptography

• Physical and environmental security

• Operation security

• Communication security

• System acquisition, development, and maintenance

• Supplier relationships

• Information-security incident management

• Information security of business continuity management

• Compliance

Finally, keep in mind that ISO 27001 only tells you only what to do, not how. You have to adapt the standard’s requirements to your company’s needs and resources.

For example, we host Netilion on Amazon Web Services, which is ISO-27001 certified. When Netilion provide services or features, it uses secured communication channels. And yes, the certification is on its way for those too.

Stay up to date with the world of IIoT and Netilion.

Subscribe to our newsletter to receive informative articles. By subscribing, you agree that you have read and accept the Privacy Policy. You can unsubscribe at any time.

Please Select AALAND ISLANDS ALBANIA ALGERIA AMERICAN SAMOA ANDORRA ANGOLA ANGUILLA ANTIGUA AND BARBUDA ARGENTINA ARMENIA ARUBA AUSTRALIA AUSTRIA AZERBAIJAN BAHAMAS BAHRAIN BANGLADESH BARBADOS BELARUS BELGIUM BELIZE BENIN BERMUDA BOLIVIA BONAIRE BOSNIA AND HERZEGOWINA BOTSWANA BRAZIL BRUNEI DARUSSALAM BULGARIA BURKINA FASO BURUNDI CAMBODIA CAMEROON CANADA CAPE VERDE CAYMAN ISLANDS CENTRAL AFRICAN REPUBLIC CHAD CHILE CHINA CHRISTMAS ISLAND COCOS (KEELING) ISLANDS COLOMBIA COMOROS CONGO, Republic of CONGO, Democratic Republic of (was Zaire) COOK ISLANDS COSTA RICA COTE D'IVOIRE CROATIA CYPRUS CZECH REPUBLIC DENMARK DJIBOUTI DOMINICA DOMINICAN REPUBLIC ECUADOR EGYPT EL SALVADOR EQUATORIAL GUINEA ERITREA ESTONIA ETHIOPIA FALKLAND ISLANDS (MALVINAS) FAROE ISLANDS FIJI FINLAND FRANCE FRENCH GUIANA FRENCH POLYNESIA GABON GAMBIA GERMANY GHANA GIBRALTAR GREECE GREENLAND GRENADA GUADELOUPE GUAM GUATEMALA Guernsey GUINEA GUINEA-BISSAU GUYANA HAITI HONDURAS HONG KONG HUNGARY ICELAND INDIA INDONESIA IRAQ IRELAND ISRAEL ITALY JAMAICA JAPAN JERSEY JORDAN KAZAKHSTAN KENYA KIRIBATI KOREA, REPUBLIC OF KOSOVO, REPUBLIC OF KUWAIT KYRGYZSTAN LAO PEOPLE'S DEMOCRATIC REPUBLIC LATVIA LEBANON LESOTHO LIBERIA LIBYAN ARAB JAMAHIRIYA LIECHTENSTEIN LITHUANIA LUXEMBOURG MACAU MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF MADAGASCAR MALAWI MALAYSIA MALDIVES MALI MALTA MARSHALL ISLANDS MARTINIQUE MAURITANIA MAURITIUS MAYOTTE MEXICO MICRONESIA, FEDERATED STATES OF MOLDOVA, REPUBLIC OF MONACO MONGOLIA MONTENEGRO MONTSERRAT MOROCCO MOZAMBIQUE MYANMAR NAMIBIA NAURU NEPAL NETHERLANDS NETHERLANDS ANTILLES NEW CALEDONIA NEW ZEALAND NICARAGUA NIGER NIGERIA NORFOLK ISLAND NORTHERN MARIANA ISLANDS NORWAY OMAN PAKISTAN PALAU PANAMA PAPUA NEW GUINEA PARAGUAY PERU PHILIPPINES POLAND PORTUGAL PUERTO RICO QATAR REUNION ROMANIA RUSSIAN FEDERATION RWANDA SAINT HELENA SAINT KITTS AND NEVIS SAINT LUCIA Saint Martin (French Part) SAINT PIERRE AND MIQUELON SAINT VINCENT AND THE GRENADINES SAMOA SAN MARINO SAO TOME AND PRINCIPE SAUDI ARABIA SENEGAL SERBIA SEYCHELLES SIERRA LEONE SINGAPORE SINT MAARTEN SLOVAKIA SLOVENIA SOLOMON ISLANDS SOMALIA SOUTH AFRICA South Sudan SPAIN SRI LANKA SUDAN SURINAME SWAZILAND SWEDEN Switzerland TAIWAN TAJIKISTAN TANZANIA, UNITED REPUBLIC OF THAILAND TOGO TONGA TRINIDAD AND TOBAGO TUNISIA TURKEY TURKMENISTAN TURKS AND CAICOS ISLANDS UGANDA UKRAINE UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES URUGUAY UZBEKISTAN VANUATU VATICAN CITY STATE (HOLY SEE) VENEZUELA VIET NAM VIRGIN ISLANDS (BRITISH) VIRGIN ISLANDS (U.S.) YEMEN ZAMBIA ZIMBABWE Saint-Barthélemy Georgia TIMOR-LESTE AFGHANISTAN BHUTAN CURACAO PALESTINIAN TERRITORY, Occupied Isle of Man Palau

Why is certification important?

With certification, a company can prove that it meets a standard’s requirements. An independent certification body audits a company against the standard and certifies it only if it meets all the requirements. This body is not only independent from the company but also regulated by a national accreditation body to maintain the quality of its audits.

Similarly, when it comes to choosing and working with suppliers, certification can help here too. You have plenty of options, of course:

1. Visit a potential supplier to see for yourself whether they maintain good practices, but the travel can become costly, and you may not learn everything you need to know.
2. Just ask. Sometime the easiest way to get information is to ask for it. A supplier with a good reputation should provide fairly creditable answers, but this method comes with few guarantees.
3. Request a certificate from an accredited certification body. The certification body will review the supplier at least yearly, and certification promises that the company conforms to the standard.
4. Close your eyes and hope for the best. We recommend all of the other approaches before this one.

Further considerations

If you made it this far, you obviously care about information security, so you may want to look into acquiring a system that meets ISO 27001 standards. Most certified companies will have that information on their websites, usually on their home pages because they’re understandably proud of it.

As mentioned in our previous blog post, Netilion has received a 4-star ranking from EuroCloud’s Star Audit Assessment for its secure platforms and state-of-the-art security protocols. But what about ISO 27001, you say?

Endress+Hauser Process Solutions AG, Netilion’s parent company, has reviewed the requirements and applied with every expectation of succeeding. So, stay tuned for the release of Netilion’s ISO-27001 certificate!

That means that now would be a good time to do your research on IS systems. Try a few out, if they offer a free-trial option (Netilion does). See what each does and how well it works for your company.

And as always, if you liked this article, please share it on social media using #Netilion.

Stay safe!