What is ISO 27001, and why should you care?
With your plant data in the cloud, marketing strategy on your local server, invoice processing through an ERP system, employee data in the human resource safe, and NDA with Big-Company Inc. in the CEO’s inbox, your company handles a lot of valuable information that needs protection.
You don’t want your marketing plan posted on a forum or your ERP-system down for hours or unauthorized access to your bank account, right?
Today we’ll talk about how ISO 27001 works and how it can secure your information assets.
What is ISO 27001?
The International Organization for Standardization is a non-governmental global organization which brings together experts to develop international standards for the market. Amongst ISO’s more than 23,000 published standards, the ISO 27001 has gained massive importance in the certification world.
Previously Published ISO-surveys show worldwide ISO 27001 certification increasing roughly 20% per year since 2006. In 2018, almost 60,000 sites had ISO-27001 certification.
So what is it?
ISO 27001:2013 defines the requirements for creating, maintaining, and improving an information-security management system (ISMS). This standard provides rules and processes to manage your ISMS:
• Definition of key roles, like information-security manager
• Structured risk-management methodology for assets
• Processes for evaluation and creation of internal information-security instructions
• Tools for ISMS surveillance – audits, penetration testing, KPI monitoring, etc.
• Criteria for handling security issues (incident management)
• Requirements for training and awareness
• Recommended actions to improve security
The last one is critical! Not only do you get requirements for the ISMS, you also get a to-do list of information security actions, called controls.
Annex A of ISO 27001:2013 has a list of 114 controls, grouped in 14 categories. These controls establish a baseline security level against which you can challenge your operations, buildings, suppliers, and more.
And best of all, it covers way more than your company’s IT department! You can plug every gap against external attacks if you implement these measures:
• Information-security policies
• Organization of information security
• Human-resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operation security
• Communication security
• System acquisition, development, and maintenance
• Supplier relationships
• Information-security incident management
• Information security of business continuity management
• Compliance
Finally, keep in mind that ISO 27001 only tells you only what to do, not how. You have to adapt the standard’s requirements to your company’s needs and resources.
For example, we host Netilion on Amazon Web Services, which is ISO-27001 certified. When Netilion provide services or features, it uses secured communication channels. And yes, the certification is on its way for those too.
Why is certification important?
With certification, a company can prove that it meets a standard’s requirements. An independent certification body audits a company against the standard and certifies it only if it meets all the requirements. This body is not only independent from the company but also regulated by a national accreditation body to maintain the quality of its audits.
Similarly, when it comes to choosing and working with suppliers, certification can help here too. You have plenty of options, of course:
- Visit a potential supplier to see for yourself whether they maintain good practices, but the travel can become costly, and you may not learn everything you need to know.
- Just ask. Sometime the easiest way to get information is to ask for it. A supplier with a good reputation should provide fairly creditable answers, but this method comes with few guarantees.
- Request a certificate from an accredited certification body. The certification body will review the supplier at least yearly, and certification promises that the company conforms to the standard.
- Close your eyes and hope for the best. We recommend all of the other approaches before this one.
Further considerations
If you made it this far, you obviously care about information security, so you may want to look into acquiring a system that meets ISO 27001 standards. Most certified companies will have that information on their websites, usually on their home pages because they’re understandably proud of it.
As mentioned in our previous blog post, Netilion has received a 4-star ranking from EuroCloud’s Star Audit Assessment for its secure platforms and state-of-the-art security protocols. But what about ISO 27001, you say?
Endress+Hauser Process Solutions AG, Netilion’s parent company, has reviewed the requirements and applied with every expectation of succeeding. So, stay tuned for the release of Netilion’s ISO-27001 certificate!
That means that now would be a good time to do your research on IS systems. Try a few out, if they offer a free-trial option (Netilion does). See what each does and how well it works for your company.
And as always, if you liked this article, please share it on social media using #Netilion.
Stay safe!