Share |

Big Data Notes 008: ISO 27001

With all of the talk of high profile hackings and breaches and the devastating ramifications of such, dealing in information might seem like a daunting business. By following the ISO 27001 standard, organisations should be able to sleep easy. Big Data Notes explains.

Article | June 15, 2012 - 10:44am

This sounds fun...

Bags of it.

It’s not the new Terminator is it?

Yes, actually, if bad information management is the new John Connor...

It isn’t.

Neither is this then.

So what is it?

ISO 27001 is the information security standard from the International Organization for Standardization. And, yes, apologies, those garish vulgar ‘Zs’ are unfortunately necessary since it’s a trademark.

If it had a passport, it would be down as ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements. Since this is a rather a mouthful, it is known by its friends as ISO 27001.

I repeat, what is it?

Basically it is a set of principles that companies follow to prove that they manage information safely. There is a checklist of requirements for meeting the standard and organisations can have their operations evaluated by an approved third party. If they meet the requirements, they will receive ISO 27001 accreditation.

ISO 27001 is one of some 19,000 different standards available from ISO to help them run their businesses in line with accepted best practice. Also among this list are standards relating to everything from shoe sizes to machine readable travel documents to retail financial services to determination of twist in single spun yarns.

Okay, so what does the standard stipulate?

By adhering to the standard organisations build an understanding of the risks that they personally face toward their information security including any threats and vulnerabilities and the impact involved in the event of a breach. The standard helps them to implement controls over how information is managed, in terms of their personnel, the companies they work with and their systems for storing and transferring information. It also provides guidance on how to set up review processes for ensuring that the benchmarks continue to be met.

Why would a company want to be ISO 27001 accredited?

The first reason would be because by following the guidance that the standard stipulates, they are effectively proving to themselves that they meet the industry standards and are therefore taking necessary precautions against flaws in their strategies. The second reason is that the ISO standards are recognised and generally respected the world over – this makes it a great advertising tool to show customers that a company is above board and reliable.

What types of company are ISO 27001 accredited?

One of the biggest announcements of late has been the Google Apps for Business suite’s successful adherence to the standard. Amazon Web Services is also accredited, as is Rackspace, Microsoft’s Azure and indeed the majority of other major cloud suppliers and many smaller ones worth their salt.

You don’t have to be an IT provider to be ISO 27001 accredited; industry practitioners that hold customer information often seek the standard.

Who are the evaluators?

An accrediting company has to be independent of the company it is reviewing and not a user of its products. There is an ISO standard for creditors to follow themselves – ISO 17021 – to prove that they are up to the job. The United Kingdom Accreditation Service (UKAS) is an example of a crediting body. The blue chip professional services firms also provide accreditation, as do a glut of dedicated smaller organisations.

How does the accreditation process usually work?

In three stages, as a rule:

Stage 1 is a preliminary, informal review, checking key documentation such as the organisation's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP).

Stage 2 is a more detailed and formal compliance audit, independently testing against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.

Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. These should happen at least annually.

Where can I find out more?

Go straight to the horse’s mouth: www.iso.org.