ISO 27001 is an information security standard, part of the ISO 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. The family of standards is vast (39 at time of writing), but, as with the other standards, our main focus is on the requirements of ISO 27001.
ISO grew out of the British Standard BS 7799 originally published in 1995, having been written by the old Department of Trade and Industry (DTI), and consisted of several parts.
The first part contained best practices for information security management, and the second part focused on how to implement an Information security management system (ISMS). Part 3 covered risk analysis and management.
Each part became adopted separately at different times by ISO (Part 1 in the year 2000, Parts 2 and 3 in 2005), but since the last review of the standard in 2013 very little reference or use is now made to any of the BS standards in connection with ISO 27001.
A quick note about one quirk with this standard - you may see reference to either ISO 27001:2013 or ISO 27001:2017 (note the change in year designation). The 2017 change was introduced to indicate approval by CEN/CENELEC for the EN designation (‘European Standard’), the background to which I’m not going to bore you with here. Needless to say, in practical terms, nothing has changed between the 2013 and 2017 versions of the ISO 27001 standard except for a few minor cosmetic points and a small name change. Either version of the standard is perfectly acceptable and certification can be against either one, it makes no difference.
Why get an Information Security Management System?
Information is the lifeblood of any business – this is especially true if your clients have entrusted their valuable data to you. Maintaining an Information Security Management System (ISMS) is the most effective way of reducing the risk of suffering a data breach.
An ISMS is a systematic approach to managing the security of sensitive information and is designed to identify, manage and reduce the range of threats to which your information is regularly subjected.
There are a whole host of benefits to putting in an ISO 27001 management system, such as:
The majority of organisations will generally have a range of different information security controls in place. However, without a formal ISMS these controls tend to be somewhat disorganised, haphazard and disjointed.
The reason for this is that the controls have often been implemented over a number of years to firefight specific solutions for specific problems. For example, you used one IT company to put up a firewall but get your antivirus software from an online subscription; you use access cards, but it’s only in the last few years you’ve started collecting them from people leaving the company; you’ve started issuing guidelines to new starters that define business practices applying to employee equipment and internet usage, but don’t know if it’s been issued to employees who’ve been with you for a while now.
If you would like to look at how to implement an ISO 27001 quality management system, then simply contact us.
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
Here you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security.
Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...