ISO 27001 is an international standard for information security in private, public, or non-profit organizations. It describes the requirements for establishing, implementing, operating, and optimizing a documented information security management system.
What is ISO 27001?
DIN ISO/IEC 27001, or ISO 27001 for short, is an international standard designed to ensure information security in organizations such as companies, non-profit organizations, or public institutions. The standard is based on a description of the requirements for implementing and operating an information security management system (ISMS). The system is adapted to the circumstances of the respective organization and takes individual specifics into account.
In addition to the information security management system, ISO 27001 deals with the analysis and handling of information security risks. Within the framework of the described requirements, values and value chains are protected by selecting the appropriate security mechanisms.
For companies, ISO 27001 offers a systematically structured approach to protecting the integrity of operational data and its confidentiality. At the same time, it ensures the availability of IT systems involved in business processes.
The standard is part of the ISO/IEC 2700x family of standards and was published by the International Organization for Standardization (ISO). There are now several revisions of ISO 27001, with the first revision dating from 2005 and the most recent edition from 2015. ISO 27001 is also known as the DIN standard DIN ISO/IEC 27001.
Organizations can be certified to ISO 27001, thereby documenting their implementation of and compliance with applicable information security standards. ISO 27001 has established itself as a standard worldwide and is one of the best-known standards for information security. Numerous companies are certified to ISO 27001.
Benefits of ISO 27001 certification
To become ISO 27001 certified, organizations must commit resources and make investments. Despite this expense, certification offers numerous advantages and demonstrable benefits. Benefits of certification may include the following:
- Minimization of liability risks
- Minimization of business risks
- Reduction of insurance premiums
- Optimization of the process and IT costs
- Increasing competitiveness
- Building trust with customers, business partners, and the public
- Reliably detect and reduce threats within the company
- Protect confidential data from misuse, loss, and disclosure
Certification provides the organization with documented proof that information security requirements have been met and that data protection measures have been implemented. Thanks to the certification, customers and business partners receive trustworthy proof that sufficient IT security can be guaranteed.
The company carries out continuous self-monitoring and constantly optimizes IT processes with regard to information security. Since ISO 27001 takes a holistic approach, consideration of the standard in the organization is ensured across all hierarchical levels. It thus also helps to meet the key requirements of auditors and various regulations such as Basel II.
Requirements for certification
The central requirement of the ISO 27001 standard and a basic prerequisite for certification is the introduction of the information security management system, ISMS for short. In a further step, the values of the organization are to be classified and documented.
Possible risks arising from IT or a lack of information security must be named, evaluated, and monitored. In this context, the organization must demonstrate successful interaction of the basic values of information security – confidentiality, integrity, and availability – in order to obtain certification.
Management must be informed of the disclosed risks in regular management reviews. Implementing all of these requirements requires expert personnel within the organization and possibly external support.
Implementation of certification
The first step for certification is for the organization to decide what type of certification is desired. In principle, it is possible to certify directly to ISO 27001 or to perform an “ISO 27001 certification based on IT-Grundschutz”.
The second option is somewhat more complex since measures of the BSI basic protection catalog must be fulfilled. Due to the larger scope, this certification is more meaningful. The certification itself is carried out by an independent and certified auditor in a precisely defined process.
A defined compliance rate for all requirements and measures must be achieved in order for the certificate to be issued. Certificates are usually valid for three years. As a rule, an annual surveillance audit is carried out to confirm the certificate.