What is ISO 27001 and why is it critical to your business data?
As more organisations relocate their business critical data offsite to data centres, the question of just how you can help guarantee the management and security of this data becomes more central. The adoption of Information Security Management Systems (ISMS) ISO/IEC 27001 accreditation by data services suppliers is one way.
ISO 27001 is an international standard that provides a model for establishing, implementing, monitoring, reviewing, maintaining and improving an ISMS. Interested internal and external parties use the standard to assess conformance and, when moving data offsite for storage or duplication, is an important asset businesses should demand from their supplier.
The question of conformance is something we are asked more and more. Upon reviewing our certification details and our statement of applicability, this certification provides a major tick in the box for compliance and generally reduces the assessment to verification checks on CCTV and physical security.
An ISMS encourages its users to emphasise the importance of:
a) Understanding an organisations information security requirements and the need to establish policy and objectives for information security;
b) Implementing and operating controls to manage an organisations information security risks in the context of the organisations overall business risks;
c) Monitoring and reviewing the performance and effectiveness of the ISMS; and
d) Continual improvement based on objective measurement
An ISO/IEC 27001 compliance certificate provides assurance that the management system for information security is in place and is regularly reviewed, audited and improved upon. The standard adopts the ‘Plan-Do-Check-Act’ (PDCA) model, which is applied to structure all of the ISMS processes.
The adoption of the PDCA also sets out the principles as detailed in the Organisation for Economic Co-Operation and development (OECD) 1 for information security techniques. This ensures that the standard is implemented to the same level internationally.
Many organisations have implemented some form of Information security control, however without a formal approach and management system the control of information security is often disjointed. Responsibility isn’t clearly defined therefore many areas are missed or not even considered for controls to mitigate the risks, thus leaving the business and its data vulnerable to a wide range of potential security risks.
ISO 27001 has over 135 individual controls within the standard to ensure that there is a systematic review of all information assets. From paperwork to human resource processes. From business continuity to business planning, all levels of business control fall under its remit.
When reviewing a company that has the ISO 27001 certification always look at the details of the scope of the certification on page 2. Some management teams limit the scope to cover just one office or area of the business yet suggest that all locations fall under the compliance certificate. Ideally it should be all business operation bases.
Additionally, ask to review their Statement of Applicability (SOA), this will detail all of the selected controls that have been included within the scope, but more importantly a management statement of how these controls are applied.
BSI carry out a rigorous six monthly continual assessment plan which is also combined with an internal audit schedule which ensures a continual improvement plan for the ISMS.
Knowledge I.T’s compliance certificate awarded by The British Standards Institute covers all its locations, offices, I.T Infrastructure, communication network and Data Centre locations. For each section of the SOA there are detailed statements of how the controls are applied and managed.
Kevin McAndrew is Operations Director, Knowledge I.T.