The security of sensitive data is a central objective for companies subject to the General Data Protection Regulation (GDPR). While GDPR is compulsory, the ISO 27001 standard is optional, but many companies still choose to use it to secure their information. This standard also reassures customers about the integrity of their confidential data, particularly in 2022, when cybersecurity has become a vital issue for companies.
Indeed, this international standard offers many advantages – in addition to streamlining the company's internal organisation for better data protection, it also improves its reputation. The digital sector has adopted the standard massively, to the point that it is becoming difficult to justify not complying with it. But what exactly does ISO/IEC 27001 certification entail? How does a compliance program work? What are the advantages and disadvantages of implementing ISO 27001 in your organisation?
How can you tell standards, regulations, labels, and certifications apart? On the one hand, public authorities create regulations that have legal value – they are imposed on companies, who are obliged to comply. On the other hand, standards are applied on a voluntary basis, usually to demonstrate a certain level of safety or quality.
There are many ISO standards (such as ISO 27001, ISO 9001, and ISO 14001) that serve as reference documents, issued by standards organisations or standards bodies, such as the International Organization for Standardization (ISO) or the British Standards Institution (BSI). However, standards are not legally binding. Instead, companies use them as flagships for their commitment to quality or safety.
Standard and certification are intertwined concepts, with certification relying on the very existence of standards to be useful. ISO 27001 certification means that a company has applied the ISO 27001 information security standard, thereby voluntarily complying with the reference standard for managing its information security risks. An accredited certification body verifies its compliance with the standard and oversees the company’s continued compliance over time.
Regulations are issued by administrative authorities: the State, the Parliament, or even local authorities. In any case, regulations are a matter of law and are therefore legally binding.
Compliance with regulations is a prerequisite for ensuring compliance with a standard. In some countries, ISO 27001 requires companies to comply with information regulations in order to be certified. For example, they must comply with the General Data Protection Regulation (GDPR), among others.
Labels are easier to obtain than regulations and standards, as public and private bodies are allowed to issue them. Labels are far less regulated than certifications and are not always taken very seriously. After all, a label is only as good as the organisation that issues it.
In terms of cybersecurity, the National Cyber Security Centre (NCSC) created a new cybersecurity label for IoT devices. In this case, it is a label that comes from a governmental plan initiated in May 2019 to better secure IoT devices.
ISO/IEC 27001 is actually a set of a dozen standards designed to secure a company’s sensitive information assets.
The International Organization for Standardization considers ISO/IEC 27001 to be the most famous information security management standard. This text has the particularity of specifying “the requirements relating to information security management systems (ISMS)”.
Here, the Organization affirms that implementing ISO 27001 should facilitate the management of “sensitive assets” security. This could be financial data, staff information, intellectual property files, or data about your business partners. Meeting the requirements of this standard should then enable the company to protect itself against any loss, theft, or alteration of its confidential data and any associated risks.
Like any standard, ISO/IEC 27001 is not compulsory for companies. However, it is particularly useful when it comes to establishing information security controls. Some companies also use it to show their clients and prospects how committed they are to cybersecurity.
In detail, the ISO 27001 standard is designed to protect a company's information systems and avoid cyber risks by:
All these concepts fall under ISMS, which applies both to information systems and processes, and people affected by cybersecurity. This is a powerful tool for risk management and anticipation of cybersecurity breaches.
To be ISO 27001 certified, a company must abide by several procedures:
Contrary to what one might think, it is not the International Organization for Standardization that issues ISO certification. Instead, it is issued by an accredited certification body that decides whether a company is in compliance with ISO 27001, after having conducted a certification audit. This accredited certification body decides the ways and means of evaluation.
In the UK, the most prominent accredited certification body is the Centre for Assessment (CfA), while the United Kingdom Accreditation Service (UKAS) provides you with a search engine of the main British accredited certification bodies. In any case, ISO 27001 certification has a period of validity of only 3 years, after which a control audit must be carried out every year.
ISO 27001 implementation brings your company various benefits, particularly in terms of IT security. It ensures your data protection and protects you from financial losses due to confidential data theft. However, it remains complex to understand and apply.
ISO 27001’s main benefit to your company is an effective cybersecurity system. Indeed, certification provides a framework to prevent information security risks, as well as tailor-made adaptable protocols to make IT security investments profitable. Certification does come with other benefits, too:
Cybersecurity experts have voiced a series of criticisms against the ISO 27001 standard. Some complain that companies primarily use it as a marketing argument, rather than a means of streamlining data cybersecurity. In their opinion, this marketing-oriented approach sometimes results in a lack of rigour when implementing the protocols and prevention measures detailed by ISO/IEC 27001.
Others consider this standard to be very complex, both in its formulation and its application. Since it is time-consuming, it might incite the teams involved to cut corners in an effort to save time. While opinions differ, it is undeniable that the ISO 27001 standard has the disadvantage of being easy to circumvent once mastered.
All companies where data protection is a strategic asset should be interested in the ISO 27001 standard – from large firms to small and medium-sized companies.
Companies are increasingly affected by cyberattacks targeting confidential data. These can be executed by means of spam emails, such as phishing scams, or spyware (which are a type of malware). A business might also be the victim of ransomware: confidential data is stolen then held for ransom. According to NCSC, there has been a ransomware explosion in growth since 2018.
Hackers use ever more sophisticated techniques and cybercrime is becoming a criminal business of its own. Hackers know that companies are increasingly well-trained to manage cyber risks and are willing to invest massively in data security. The stakes in terms of reputation and financial value of companies are indeed significant.
Contrary to common belief, FTSE 100 companies are not the only victims. In the UK, 65% of SMEs suffered a cyber attack in 2019-20. Big firms tend to be better prepared against cybercrimes, this is why they recover from data theft faster than SMEs or very small businesses (VSBs).
The amounts hackers demand in exchange for stolen data can also significantly weaken the budget structure of a small business, whereas corporate groups often manage to recover from the extortion.
ISO 27001 standard’s purpose is to manage all those risks. When the British Standard BS7799 became ISO 27001 in 2006-2007, about 7000 companies were certified worldwide. Ten years later, this figure had grown to 37,500, a number which continues to grow, encouraging the standard to establish itself as a norm in the digital sector and cybersecurity consulting.
The ISO/IEC 27001 standard comprises 114 security measures. That exhaustiveness should help you properly assess any information security risk. In 2022, it remains one of the most robust cybersecurity guides for ensuring the integrity, availability, and confidentiality of your data.
ISO/IEC 27001 is an international standard dealing with information security management systems (ISMS).
This standard allows the company to streamline its procedures of sensitive data protection. It prevents the loss, theft, and alteration of information, in addition to protecting information systems from intrusion and disasters. It also helps improve the company's reputation in terms of cybersecurity.
ISO 27001 certification involves submitting to a number of procedures, including a risk audit, a Risk Treatment Plan, and a Declaration of Applicability. Certification is ultimately issued by an accredited certification body.
related to cybersecurity and Cyber Risk Quantification (CRQ)