ISO 27001 & cybersecurity

ISO 27001: why is it a good thing to have your cybersecurity strategy certified?

The security of sensitive data is a central objective for companies subject to the General Data Protection Regulation (GDPR). While this regulation is compulsory, the ISO 27001 standard is. Many companies use it to secure their information anyway. This standard also reassures their customers about the integrity of their confidential data, particularly in 2021, when cybersecurity has become a vital issue for companies.

C-RiskC-Risk

Published on June 29, 2021, 12:39 p.m. (Updated on 24 September 2021 17:11)

Indeed, this international standard offers many advantages: in addition to streamlining the company's internal organization for better data protection, it also improves its reputation. The digital sector has adopted it massively, to the point that it is getting difficult not to comply with it. What exactly does ISO/IEC 27001 certification correspond to? How does a compliance program work? What are the advantages and disadvantages of implementing ISO 27001 to your organization?

What are the differences between standards, certifications, and regulations?


How can you tell apart standards, regulations, labels, and certifications? Public authorities create regulations, these have legal value; they are imposed on companies. Standards apply voluntarily, to demonstrate a safety or quality level.

Standards and certifications

There are many ISO standards such as ISO 27001, ISO 9001, and ISO 14001. These standards are reference documents, issued by standards organizations or standards bodies. Among them, the International Organisation for Standardisation (ISO), or the British Standards Institution (BSI). However, standards are not legally binding. Companies use them as flagships for their commitment to quality or safety.

Standard and certification are intertwined concepts. Certification actually needs to be based on standards to be pronounced. ISO 27001 certification means that a company has applied the ISO 27001 information security standard. This company thereby voluntarily complies with the reference standard for managing its information security risks. An accredited certification body verifies its compliance with the standard, it also guarantees the company’s compliance will remain over time.

Regulations

Regulations are issued by administrative authorities: the State, the Parliament, or even local authorities. In any case, regulations are a matter of law and are therefore legally binding.

Compliance with regulations is a prerequisite to ensure compliance with a standard. In some countries, ISO 27001 requires that companies comply with information regulations to be certified. They must comply, among other things, with the General Data Protection Regulation (GDPR).

Labels

Labels are easier to obtain than regulations and standards. Indeed, public and private bodies are allowed to issue them. Labels are, by far, less supervised than certifications: they do not always amount to seriousness. A label is indeed as good as the organization it comes from.

In terms of cybersecurity, the National Cyber Security Centre (NCSC) created a new cybersecurity label for IoT devices. In this case, it is a label that comes from a governmental plan initiated in May 2019 to better secure IoT devices.

What is the ISO 27001 standard?


ISO/IEC 27001 is actually a set of a dozen standards designed to secure a company’s sensitive information assets.

Definition of ISO/IEC 27001

The International Organisation for Standardisation considers ISO/IEC 27001 is the most famous information security management standard. This text has the particularity of specifying “the requirements relating to information security management systems (ISMS)”.

Here, the Organisation affirms that implementing ISO 27001 should facilitate the management of “sensitive assets” security. This could be financial data, staff information, intellectual property files, or data about your business partners. Meeting the requirements of this standard should then enable the company to protect itself against any loss, theft or alteration of its confidential data and any associated risks.

Like any standard, ISO/IEC 27001 is not compulsory for companies. However, it is particularly useful when it comes to establishing information security controls. Some companies also use it to show their clients and prospects how committed they are to cybersecurity.

In detail, the ISO 27001 standard is designed to protect a company's information systems by preventing cyber risks:

- it specifies the information technology protective measures that can be considered;

- it prevents the risk of intrusion and disaster in computer systems;

- It also disseminates good organizational practice.

All of this falls under ISMS. It applies both to information systems and processes or people affected by cybersecurity. It is a powerful tool for risk management and anticipation of cybersecurity breaches.

ISMS and ISO 27001 standard

How can you obtain this ISMS security standard?

To be ISO 27001 certified, a company must abide by several procedures:

  1. Precisely defining the scope of its ISMS;
  2. Carrying out an internal audit on information security risks in order to better ensure data protection;
  3. Estimating the probability and impact of each of those possible events, by risk mapping for instance ;
  4. Designing a Risk Treatment Plan (RTP) based on this mapping;
  5. Writing a Statement of Applicability (SoA): a document by which general management expresses its commitment to the cybersecurity measures described in the RTP;
  6. Converting the Risk Treatment Plan into an action plan, providing for performance indicators and regular updates during the ISMS life cycle.

Who issues ISO 27001 certification?

Contrary to what one might think, it is not the International Organisation for Standardisation that issues ISO certification. It is an accredited certification body that decides whether a company is in compliance with ISO 27001, after having conducted a certification audit. This accredited certification body decides the ways and means of evaluation.

In the UK, the most prominent accredited certification body is CfA, the Centre for Assessment. Besides, the United Kingdom Accreditation Service (UKAS) provides you with a search engine of the main British accredited certification bodies. In any case, ISO 27001 certification has a period of validity of only 3 years, after which a control audit must be carried out every year.

ISO27001 certification and certification bodies

Why should you be ISO 27001 certified?


ISO 27001 implementation brings various benefits to your company, particularly in terms of IT security. It ensures your data protection and protects you from financial losses due to confidential data theft. However, it remains complex to understand and apply.

Benefits from ISO/IEC 27001 certification

The main benefit ISO 27001 brings to your company is an effective cybersecurity system. This certification indeed provides a framework to prevent information security risks. It also provides tailor-made adaptable protocols to make the IT security costs profitable. However, certification comes with other benefits:

  • It is a valuable marketing asset, which reassures your clients and stakeholders. The implementation of an ISO 27001 certified ISMS gives your company an undeniable competitive advantage. This way, you stand out in the eyes of your prospects and enhance your brand image.
  • Reassuring clients also helps reduce the number of external audits they need to conduct. Conversely, you benefit from regular internal audits of your ISMS. All of this guarantees the proper development of your information security controls. Finally, you have an external auditor assessing the performances of your information protection measures once a year.
  • While this standard is not compulsory, data protection is largely regulated in the UK. In particular, your company must ensure its compliance with regulations such as the GDPR or the Directive (EU) 2016/1148 on the security of networks and information systems. Complying with ISO 27001 mitigates the financial risks associated with breaches of personal data and other information assets.

Is there any drawback to this information security standard?

Cybersecurity experts have voiced a series of criticisms against the ISO 27001 standard. Some complain that some companies primarily use it as a marketing argument, rather than a means of streamlining data cybersecurity. In their opinion, this marketing-oriented approach sometimes results in a lack of rigour when implementing the protocols and prevention measures detailed by ISO/IEC 27001.

Others consider this standard is very complex, both in formulation and application. Because it is time-consuming, it might incite the concerned teams to bend the rules in order to save time. The ISO 27001 standard surely has the disadvantage of being easy to circumvent, once mastered.

How does ISO 27001 certification help you with your cybersecurity strategy?


All companies where data protection is a strategic asset should be interested in the ISO 27001 standard: big firms as well as small and medium-sized companies.

A substantial increase in cyberattacks targeting sensitive data

Companies are increasingly affected by cyberattacks targeting confidential data. Those can be executed by means of spam emails such as phishing scams, or spyware (which are a type of malware). A business might also be the victim of ransomware: confidential data is stolen then held for ransom. According to NCSC, there has been a ransomware explosion in growth since 2018.

Hackers use more and more sophisticated techniques and cybercrime is becoming a criminal business of its own. Hackers know that companies are more and more trained to manage cyber risks and willing to invest more in data security. The stakes in terms of reputation and financial value of companies are indeed significant.

cyber risks threatening sensitive data

All companies are concerned, including very small and medium-sized businesses

Contrary to common belief, FTSE 100 companies are not the only victims. In the UK, 65% of SMEs suffered a cyber attack in 2019-20. Big firms tend to be better prepared against cybercrimes, this is why they recover from data theft faster than SMEs or very small businesses (VSBs).

The amounts hackers demand in exchange for stolen data can also significantly weaken the budget structure of a small business whereas corporate groups often manage to recover from the extortion.

A comprehensive standard to secure data integrity

ISO 27001 standard’s purpose is to manage all those risks. When the British Standard BS7799 became ISO 27001 in 2006-2007, about 7000 companies were certified worldwide. Ten years later, this figure had grown to 37500. A figure which continues to grow and will soon establish itself as a norm in the digital sector and cybersecurity consulting.

The ISO/IEC 27001 standard comprises 114 security measures. That exhaustiveness should help you properly assess any information security risk. In 2021, it is one of the most effective cybersecurity guides to ensure the integrity, availability, and confidentiality of your data.

FAQ

ISO/IEC 27001 is an international standard dealing with information security management systems (ISMS).

This standard allows the company to streamline its procedures of sensitive data protection. It prevents the loss, theft, and alteration of information, in addition to protecting information systems from intrusion and disasters. It also helps improve the company's reputation in terms of cybersecurity.

ISO 27001 certification involves submitting to a number of procedures, including a risk audit, a Risk Treatment Plan, and a Declaration of Applicability. Certification is ultimately issued by an accredited certification body.