ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. The ISO 27000 family of standards helps organizations keep information assets secure. If you are concerned about protection of assets especially information assets, ISMS provides a control framework to protect the (information) assets. This combines management controls (such as ISMS framework, ISMS policy), technical controls (malware management, access controls, network perimeter, encryption), procedural controls (e.g. document management), personnel controls (e.g. background screening) to name a few. The controls combine preventive, detective, restorative, maintenance and monitoring controls. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.
The main philosophy of ISO 27001 is to prevent security incidents from happening and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. and the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.
Typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, very often the employees do not know what needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security-related), enabling them to reduce the lost time of their employees.
There are more and more laws, regulations and contractual requirements related to information security, and the good news is that most of them can be resolved by implementing ISO 27001 – this standard gives you the perfect methodology to comply with them all.
If your company gets certified and your competitors do not, you may have an advantage over them in the eyes of the customers who are sensitive about keeping their information safe.