IT security and privacy protection is currently of key importance to companies and organisations. However, a surge in cybercrime and the emergence of new threats makes managing cyber risks seem difficult, if not impossible. Information security management system standards turn out to be very helpful. They facilitate the discovery of potential risks, as well as the identification and elimination of weak points. ISO/IEC 27001 is the best-known standard. What are its most essential characteristics?

What is ISO/IEC 27001?

ISO/IEC 27001, also called ISO 27001, is the best-known international standard of information security management systems. It sets out the guidelines for creating, implementing, maintaining and continuously improving the information security management system in companies of various sizes and from all sectors. An ISO/IEC 27001 compliance certificate means that the organisation has implemented a system to manage the risk related to the security of the data it possesses or handles. It also serves as a confirmation that the system respects all of the best practices and principles required under the standard. The official name, ISO/EIC 27001, stems from the joint publication of the standard by ISO and the International Electrotechnical Committee, IEC.

Why do companies need the ISO/IEC 27001 standard?

The information security management system implemented in accordance with ISO/IEC 27001 is a tool to manage risk, cyber resilience and operational excellence. This standard allows companies and organizations to increase the level of IT security and privacy protection. The implementation of ISO/IEC 27001 helps to acquire knowledge about potential threats, proactively identify weak points in the system and take preventive action. Companies should adopt a holistic approach to information security according to ISO/IEC 27001 terms. Therefore, it is important to verify and prepare all the components accordingly – not only the technology and principles, but also the people.

Who needs ISO/IEC 27001?

The implementation of ISO/IEC 27001 should be considered by all organizations which seek protection from cybercrime, data theft and information leaks. It is available to all companies regardless of size and the industry they operate in. The standard makes it possible to establish a tailor-made information security management system adapted to every company’s needs and to implement a risk management process. What are the industries in which companies most often choose to implement the ISO/IEC 27001 standard? The answer comes as no surprise. As much as 20% of all the valid certificates have been issued to IT sector companies (2021 ISO Survey data). At j‑labs, we have also successfully implemented the standard and completed the certification process. The benefits of ISO 27001 are also recognized by companies operating in other industry sectors, usually recognized as leaders in their fields, as well as by public and non-profit organisations.

What are the benefits of implementing the ISO/IEC 27001 standard?

• Increased trust and credibility of the organization in the eyes of customers, including international ones, by meeting global security requirements.
• Less vulnerability to cyberattacks thanks to a state-of-the-art security management system covering paper and cloud-based, as well as digital information.
• Protection from damage and data leaks, e.g. concerning financial statements, intellectual property, employee and customer data or any information entrusted by third parties.
• A centrally-managed platform which protects all information in one place.
• Money savings through increased efficiency, reduced spending on ineffective protection technology and rationalization of third-party liability insurance costs.
• Mitigation of business risks related to failure to deliver a product or perform a service, thanks to the ability to identify potential problems.

What is the CIA triad in ISO 27001?

There are three important rules in the ISO/IEC 27001 standard, also known as the CIA triad. The abbreviation, although it sounds a lot like the US Central Intelligence Agency, actually stands for confidentiality, integrity and availability. How should these concepts be understood in the context of corporate information security, following the implementation of ISO/IEC 27001? An information security management system which adheres to standard guarantees of confidentiality, integrity and availability of information through the application of a risk management process. What threats are associated with each of these factors?

• Confidentiality – only authorised individuals may have access to the information stored by the company. An example of a related risk is a situation where cybercriminals obtain login credentials and sell stolen information.
• Information integrity – data used by the company to conduct business activity or received by the company is not deleted or damaged, but stored correctly and carefully. An example of a related risk is the accidental deletion of a line in a data file by an employee.
• Availability of data – the company and its customers can access the information whenever necessary. An example of a related risk is the company database going offline due to e.g. hardware failure.

What other certificates boost information security?

ISO/IEC 2700, is certainly the best-known international information security management system standard. Other similar certifiable standards include:

• ISO/IEC 27043 – the standard contains guidelines for investigation process management for various types of information security incidents. It identifies the principles through which the appropriate tools, techniques and methods are selected in line with the needs of the organisation.
• ISO/IEC 27018 – a standard related to GDPR requirements. It helps companies by identifying specific requirements and rules concerning the creation, implementation, maintenance and development of a protection system for personally identifiable data in public cloud environments.
• ISO 22301 – the standard sets out the requirements for business continuity management systems. It ensures readiness for uninterrupted work in emergency situations, including those related to IT systems.
• ISO 37301 – the standard replaced ISO 19600 and contains requirements and guidelines concerning the organization’s Compliance Management System (CMS).
• ISO/IEC 30121:2016 – the standard concerns the management of the structure of risk related to computer forensics. It describes the concepts for preparing the organization for IT investigations before they occur.

Why has j‑labs introduced ISO/IEC 27001? People is what matters to us and what they find essential is information security. Our philosophy is: “Code matters, you more”, which is why we do our utmost to ensure the security of data and intellectual property of our employees and clients.

Want to learn more about the certification process at j‑labs? Read our article: https://www.j-labs.pl/en/business-blog/evolution-not-revolution/