Why ISO 27001 is the Framework of Choice for Information Security

Why ISO 27001 is the Framework of Choice for Information Security

In 2019 alone, there have been millions of cybersecurity breaches all over the world. Government agencies, companies and individuals continue to experience one form of cyber-attack or another daily. Companies including Huawei, Capital One, BASF, Siemens and Henkel just to mention a few were in the news at one point or the other during the year as victims of cybersecurity breaches. All these companies aside from the possible potential drop in their share prices, bad publicity, possibly fines that could run into millions of dollars all have one very important thing in common, loss of people's trust.

There is no other time in the history of the world than today that protecting an organization's valuable information is considered as a key business and strategic objective. The Internet as a tool has opened immense doors and opportunities to individuals and corporations alike, equally, it has opened the room to serious adversaries and bad actors as well.

Organizations can no longer sit on the sidelines when it comes to information security and privacy. Organizations cannot change the environment in which they operate but they can do something to protect themselves and their interest. Organizations must show a sense of commitment to their stakeholders by ensuring the information entrusted to their care by their partners, customers and employees are as secure as they can be. One way to demonstrates this commitment is for organizations to align their processes and operations to the requirements of ISO 27001 and by doing so hopefully, obtain the ISO 27001 certification. The question is, what is ISO 27001 and why is it so important in today's world?

ISO 27001

The ISO/IEC 27001 is an international standard jointly developed by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The current version was published on 1st October 2013 and popularly denoted as ISO 27001:2013. It is a standard that serves as a framework that provides the requirement for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). To put it in simple terms, by following the guideline specified in the standard, organizations can attest to and claim to have demonstrated a systematic approach to information security management. What then is Information Security?

Very often, most people tend to think of information security as simply maintaining the confidentiality of valuable information. This by no means is correct but only part of the truth. ISO 27001 details what organizations need to consider and implement for them to have an assurance and confidence that, they indeed have an information security management system or program in place. ISO 27001, therefore, provides a risk management approach to information security by taking a holistic view through the preservation of the confidentiality, integrity, and availability of valuable information.

Simply following the guideline provided by ISO 27001 in establishing, implementing, operating and maintaining an ISMS provides tremendous benefits but going further to acquire ISO 27001 certification sets your organization apart from your competitors.

Benefits of ISO 27001 Certification

There are numerous benefits for organizations that choose to implement an ISMS using the ISO 27001 standard amongst which are:

  1. Business and security improvement: The primary benefit of implementing an ISMS is the protection of an organization's valuable information and making employees realize that information is an asset. This, in turn, encourages and increases awareness with a focus on security and business risk management. Very often, when people are asked to list their assets either at home or their place of work, you are not likely to hear anything about information or data but rather the physical or tangible assets.
  2. Better compliance with information security regulatory and contractual requirements: One of the key inputs to the ISMS is knowing what the legislative, regulatory and contractual requirements are to your business. Very often, organizations claim to comply with applicable laws and regulations but when pressed further on what they are complying with, they do not have an idea. Implementing or aligning an information security program to the requirements of ISO 27001 forces organizations to examine the environment in which they operate and ensures they develop policies, processes, procedures and/or technical controls to satisfy these requirements.
  3. Enhancement of company image and marketing positioning: There is a reason why ISO 27001 certification is the leading information security certification for organizations all over the world. Being able to present this certificate to your existing customers or prospect is a demonstration that your organization takes information security seriously. Besides, the number of both private and public sector clients/customers who insist on a supplier's ability to demonstrate ISO 27001 certification as a minimum requirement for commercial bids are on the increase. It makes sense for us as an organization to be ahead rather than play catchups later.
  4. Reduction in information security breaches and resulting losses: Implementing an information security program using ISO 27001 ensures the identification of in-scope assets, threats, and vulnerabilities and most importantly aid in the identification and assignment of the responsibility in addition to putting measures in place to close identified gaps. This ultimately minimizes the number of security breaches and the potential losses due to bad publicity, share prices erosions when incidents do occur, and loss of customer's trust amongst others.
  5. A systemic approach to information security management: The standard is structured in such a way that provides a plan-do-check-ack (PDCA) cycle risk-based approach to information security management. Following this process ensures a holistic view of the information security landscape of the organization is considered, this leads to improvement in areas that possess a significant risk to the organization while considering its operating environment.
  6. Provides clarity in the definition of information security-related authorities and responsibilities: Very often, people do not even know what they are responsible for when it comes to information security. Following the guideline as specified in the standard will ensure personnel know what their responsibilities and accountabilities are when it comes to information and cybersecurity.
  7. Reduction in operational cost: There are occasions where the need for regular information systems audit is documented as a contractual requirement that the organization to be audited must bear the cost. It is possible in this instance to be able to forgo those audits if an organization can show they meet the same requirement through the ISO 27001 certification thereby greatly reducing their operational cost.

RisKonsults specializes in helping organizations improve their information security posture. Contact us if you wish to seek any clarification or inquire about our services.

Zezi Tesa

Lead Information & Cybersecurity Consultant

RisKonsults