ISO 27001 is an international standard that describes how to manage information security in an organization. It specifies the requirements for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS).
ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements was first published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
In today’s globalized world, organizations are relying more and more on electronic media to keep records and data of sensitive information. In order to protect this information, organizations have the need to implement an ISMS. ISO 27001 offers a set of specifications that describe the features of an effective ISMS. This standard has a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes, and information technology (IT) systems and its main objectives are:
- Confidentiality, which ensures the availability of information only to those who are authorized to access,
- Integrity, which protects the accuracy and completeness of information and processing methods, and
- Availability, which ensures that authorized users have access to information and associated assets when required.
ISO 27001 is suitable for organizations of all sizes and sectors, anywhere in the world. Any organization that wants to protect their information from threats and to comply with a range of regulatory and statutory requirements related to information protection can implement this standard. Organizations that comply with this standard can:
- Establish a clear and structured methodology for security management.
- Reduce risk of loss, theft or corruption of information.
- Continually review the risks and its controls.
- Increase customers and strategic partner’s confidence.
- Ensure continuity of business operations required after serious incidents.
- Comply with legislation relative personal information, intellectual property and others.
- Improve their image.
- Reduce costs and improve processes and service.
- Integrate the ISMS with other management standards such as ISO 9001 and ISO 14001.
The ISO 27000 family of standards offers a set of specifications, codes of conduct, and best practice guidelines on designing, implementing, auditing, and certifying information security management systems. The ISMS can protect the confidentiality, integrity, and availability of the information. Of primary interest to information security are ISO 27001, ISO 27002 and ISO 27005. Of all the ISO 27000 family of standards, ISO 27001 is the only one that organizations can receive certification for as it offers the specification of an effective information security management system; however, this standard is not a guide. For guidance, organizations should use other standards of the ISO 27000 series.
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.