ISO 27001 & cybersecurity

ISO 27001: what is it and why is it good for your cybersecurity strategy?

The security of sensitive data is a central objective for companies subject to the General Data Protection Regulation (GDPR). While GDPR is compulsory, the ISO 27001 standard is optional, but many companies still choose to use it to secure their information. This standard also reassures customers about the integrity of their confidential data, particularly in 2022, when cybersecurity has become a vital issue for companies.

C-RiskC-Risk
Published on 29 June 2021 (Updated on 12 July 2022)

Indeed, this international standard offers many advantages – in addition to streamlining the company's internal organisation for better data protection, it also improves its reputation. The digital sector has adopted the standard massively, to the point that it is becoming difficult to justify not complying with it. But what exactly does ISO/IEC 27001 certification entail? How does a compliance program work? What are the advantages and disadvantages of implementing ISO 27001 in your organisation?

What are the differences between standards, certifications, and regulations?


How can you tell standards, regulations, labels, and certifications apart? On the one hand, public authorities create regulations that have legal value – they are imposed on companies, who are obliged to comply. On the other hand, standards are applied on a voluntary basis, usually to demonstrate a certain level of safety or quality.

Standards and certifications

There are many ISO standards (such as ISO 27001, ISO 9001, and ISO 14001) that serve as reference documents, issued by standards organisations or standards bodies, such as the International Organization for Standardization (ISO) or the British Standards Institution (BSI). However, standards are not legally binding. Instead, companies use them as flagships for their commitment to quality or safety.

Standard and certification are intertwined concepts, with certification relying on the very existence of standards to be useful. ISO 27001 certification means that a company has applied the ISO 27001 information security standard, thereby voluntarily complying with the reference standard for managing its information security risks. An accredited certification body verifies its compliance with the standard and oversees the company’s continued compliance over time.

Regulations

Regulations are issued by administrative authorities: the State, the Parliament, or even local authorities. In any case, regulations are a matter of law and are therefore legally binding.

Compliance with regulations is a prerequisite for ensuring compliance with a standard. In some countries, ISO 27001 requires companies to comply with information regulations in order to be certified. For example, they must comply with the General Data Protection Regulation (GDPR), among others.

Labels

Labels are easier to obtain than regulations and standards, as public and private bodies are allowed to issue them. Labels are far less regulated than certifications and are not always taken very seriously. After all, a label is only as good as the organisation that issues it.

In terms of cybersecurity, the National Cyber Security Centre (NCSC) created a new cybersecurity label for IoT devices. In this case, it is a label that comes from a governmental plan initiated in May 2019 to better secure IoT devices.

What is the ISO 27001 standard?


ISO/IEC 27001 is actually a set of a dozen standards designed to secure a company’s sensitive information assets.

Definition of ISO/IEC 27001

The International Organization for Standardization considers ISO/IEC 27001 to be the most famous information security management standard. This text has the particularity of specifying “the requirements relating to information security management systems (ISMS)”.

Here, the Organization affirms that implementing ISO 27001 should facilitate the management of “sensitive assets” security. This could be financial data, staff information, intellectual property files, or data about your business partners. Meeting the requirements of this standard should then enable the company to protect itself against any loss, theft, or alteration of its confidential data and any associated risks.

Like any standard, ISO/IEC 27001 is not compulsory for companies. However, it is particularly useful when it comes to establishing information security controls. Some companies also use it to show their clients and prospects how committed they are to cybersecurity.

In detail, the ISO 27001 standard is designed to protect a company's information systems and avoid cyber risks by:

  • specifying the information technology protective measures that can be considered;
  • preventing the risk of intrusion and disaster in computer systems;
  • helping to disseminate good organisational practices.

All these concepts fall under ISMS, which applies both to information systems and processes, and people affected by cybersecurity. This is a powerful tool for risk management and anticipation of cybersecurity breaches.

ISMS and ISO 27001 standard

How can you obtain this ISMS security standard?

To be ISO 27001 certified, a company must abide by several procedures:

  1. Precisely define the scope of its ISMS;
  2. Carry out an internal audit on information security risks in order to better ensure data protection;
  3. Estimate the probability and impact of each of those possible events, by risk mapping, for example;
  4. Design a Risk Treatment Plan (RTP) based on this mapping;
  5. Write a Statement of Applicability (SoA), a document by which general management expresses its commitment to the cybersecurity measures described in the RTP;
  6. Convert the Risk Treatment Plan into an action plan, providing for performance indicators and regular updates during the ISMS life cycle.

Who issues ISO 27001 certification?

Contrary to what one might think, it is not the International Organization for Standardization that issues ISO certification. Instead, it is issued by an accredited certification body that decides whether a company is in compliance with ISO 27001, after having conducted a certification audit. This accredited certification body decides the ways and means of evaluation.

In the UK, the most prominent accredited certification body is the Centre for Assessment (CfA), while the United Kingdom Accreditation Service (UKAS) provides you with a search engine of the main British accredited certification bodies. In any case, ISO 27001 certification has a period of validity of only 3 years, after which a control audit must be carried out every year.

ISO27001 certification and certification bodies

Why should you be ISO 27001 certified?


ISO 27001 implementation brings your company various benefits, particularly in terms of IT security. It ensures your data protection and protects you from financial losses due to confidential data theft. However, it remains complex to understand and apply.

Benefits from ISO/IEC 27001 certification

ISO 27001’s main benefit to your company is an effective cybersecurity system. Indeed, certification provides a framework to prevent information security risks, as well as tailor-made adaptable protocols to make IT security investments profitable. Certification does come with other benefits, too:

  • It is a valuable marketing asset, which reassures your clients and stakeholders. The implementation of an ISO 27001 certified ISMS gives your company an undeniable competitive advantage, helping you stand out in the eyes of your prospects and enhance your brand image.
  • Reassuring clients also helps reduce the number of external audits they need to conduct, while you benefit from regular internal audits of your ISMS. All of this guarantees the proper development of your information security controls. Finally, you have an external auditor assessing the performances of your information protection measures once a year.
  • While this standard is not compulsory, data protection is largely regulated in the UK. In particular, your company must ensure its compliance with regulations such as the GDPR or the Directive (EU) 2016/1148 on the security of networks and information systems. Complying with ISO 27001 mitigates the financial risks associated with breaches of personal data and other information assets.

Is there any drawback to this information security standard?

Cybersecurity experts have voiced a series of criticisms against the ISO 27001 standard. Some complain that companies primarily use it as a marketing argument, rather than a means of streamlining data cybersecurity. In their opinion, this marketing-oriented approach sometimes results in a lack of rigour when implementing the protocols and prevention measures detailed by ISO/IEC 27001.

Others consider this standard to be very complex, both in its formulation and its application. Since it is time-consuming, it might incite the teams involved to cut corners in an effort to save time. While opinions differ, it is undeniable that the ISO 27001 standard has the disadvantage of being easy to circumvent once mastered.

How does ISO 27001 certification help you with your cybersecurity strategy?


All companies where data protection is a strategic asset should be interested in the ISO 27001 standard – from large firms to small and medium-sized companies.

A substantial increase in cyberattacks targeting sensitive data

Companies are increasingly affected by cyberattacks targeting confidential data. These can be executed by means of spam emails, such as phishing scams, or spyware (which are a type of malware). A business might also be the victim of ransomware: confidential data is stolen then held for ransom. According to NCSC, there has been a ransomware explosion in growth since 2018.

Hackers use ever more sophisticated techniques and cybercrime is becoming a criminal business of its own. Hackers know that companies are increasingly well-trained to manage cyber risks and are willing to invest massively in data security. The stakes in terms of reputation and financial value of companies are indeed significant.

cyber risks threatening sensitive data

All companies are concerned, including very small and medium-sized businesses

Contrary to common belief, FTSE 100 companies are not the only victims. In the UK, 65% of SMEs suffered a cyber attack in 2019-20. Big firms tend to be better prepared against cybercrimes, this is why they recover from data theft faster than SMEs or very small businesses (VSBs).

The amounts hackers demand in exchange for stolen data can also significantly weaken the budget structure of a small business, whereas corporate groups often manage to recover from the extortion.

A comprehensive standard to secure data integrity

ISO 27001 standard’s purpose is to manage all those risks. When the British Standard BS7799 became ISO 27001 in 2006-2007, about 7000 companies were certified worldwide. Ten years later, this figure had grown to 37,500, a number which continues to grow, encouraging the standard to establish itself as a norm in the digital sector and cybersecurity consulting.

The ISO/IEC 27001 standard comprises 114 security measures. That exhaustiveness should help you properly assess any information security risk. In 2022, it remains one of the most robust cybersecurity guides for ensuring the integrity, availability, and confidentiality of your data.

FAQ

ISO/IEC 27001 is an international standard dealing with information security management systems (ISMS).

This standard allows the company to streamline its procedures of sensitive data protection. It prevents the loss, theft, and alteration of information, in addition to protecting information systems from intrusion and disasters. It also helps improve the company's reputation in terms of cybersecurity.

ISO 27001 certification involves submitting to a number of procedures, including a risk audit, a Risk Treatment Plan, and a Declaration of Applicability. Certification is ultimately issued by an accredited certification body.