ISO 27001: what is it and why is it good for your cybersecurity strategy?

What are the differences between standards, certifications, and regulations?

How can you tell standards, regulations, labels, and certifications apart? On the one hand, public authorities create regulations that have legal value – they are imposed on companies, who are obliged to comply. On the other hand, standards are applied on a voluntary basis, usually to demonstrate a certain level of safety or quality.

Standards and certifications

There are many ISO standards (such as ISO 27001, ISO 9001, and ISO 14001) that serve as reference documents, issued by standards organizations or standards bodies, such as the International Organization for Standardization (ISO) or the British Standards Institution (BSI). However, standards are not legally binding. Instead, companies use them as flagships for their commitment to quality or safety.

Standard and certification are intertwined concepts, with certification relying on the very existence of standards to be useful. ISO 27001 certification means that a company has applied the ISO 27001 information security standard, thereby voluntarily complying with the reference standard for managing its information security risks. An accredited certification body verifies its compliance with the standard and oversees the company’s continued compliance over time.

Regulations

Regulations are issued by administrative authorities: the State, the Parliament, or even local authorities. In any case, regulations are a matter of law and are therefore legally binding.

Compliance with regulations is a prerequisite for ensuring compliance with a standard. In some countries, ISO 27001 requires companies to comply with information regulations in order to be certified. For example, they must comply with the General Data Protection Regulation (GDPR), among others.

Labels

Labels are easier to obtain than regulations and standards, as public and private bodies are allowed to issue them. Labels are far less regulated than certifications and are not always taken very seriously. After all, a label is only as good as the organization that issues it.

In terms of cybersecurity, the National Cyber Security Centre (NCSC) created a new cybersecurity label for IoT devices. In this case, it is a label that comes from a governmental plan initiated in May 2019 to better secure IoT devices.

What is the ISO 27001 standard?

ISO/IEC 27001 is actually a set of a dozen standards designed to secure a company’s sensitive information assets.

Definition of ISO/IEC 27001

The International Organization for Standardization considers ISO/IEC 27001 to be the most famous information security management standard. This text has the particularity of specifying “the requirements relating to information security management systems (ISMS)”.

Here, the Organization affirms that implementing ISO 27001 should facilitate the management of “sensitive assets” security. This could be financial data, staff information, intellectual property files, or data about your business partners. Meeting the requirements of this standard should then enable the company to protect itself against any loss, theft, or alteration of its confidential data and any associated risks.

Like any standard, ISO/IEC 27001 is not compulsory for companies. However, it is particularly useful when it comes to establishing information security controls. Some companies also use it to show their clients and prospects how committed they are to cybersecurity.

In detail, the ISO 27001 standard is designed to protect a company's information systems and avoid cyber risks by:

• specifying the information technology protective measures that can be considered;
• preventing the risk of intrusion and disaster in computer systems;
• helping to disseminate good organizational practices.

All these concepts fall under ISMS, which applies both to information systems and processes, and people affected by cybersecurity. This is a powerful tool for risk management and anticipation of cybersecurity breaches.

How can you obtain this ISMS security standard?

To be ISO 27001 certified, a company must abide by several procedures:

1. Precisely define the scope of its ISMS;
2. Carry out an internal audit on information security risks in order to better ensure data protection;
3. Estimate the probability and impact of each of those possible events, by risk mapping, for example;
4. Design a Risk Treatment Plan (RTP) based on this mapping;
5. Write a Statement of Applicability (SoA), a document by which general management expresses its commitment to the cybersecurity measures described in the RTP;
6. Convert the Risk Treatment Plan into an action plan, providing for performance indicators and regular updates during the ISMS life cycle.

Who issues ISO 27001 certification?

Contrary to what one might think, it is not the International Organization for Standardization that issues ISO certification. Instead, it is issued by an accredited certification body that decides whether a company is in compliance with ISO 27001, after having conducted a certification audit. This accredited certification body decides the ways and means of evaluation.

In the UK, the most prominent accredited certification body is the Centre for Assessment (CfA), while the United Kingdom Accreditation Service (UKAS) provides you with a search engine of the main British accredited certification bodies. In any case, ISO 27001 certification has a period of validity of only 3 years, after which a control audit must be carried out every year.

‍

‍

‍