At Anitian, we regularly talk with leaders about the challenges of integrating compliance and security into a cohesive program. Lately, ISO 27001 compliance has attracted attention among many business leaders. This is partially the result of increasing uncertainty with international standards such as the General Data Protection Regulation (GDPR).
In this blog, we will walk through the basic components of ISO 27001 compliance, as well as the core steps you must take to become compliant.
What is ISO 27001?
The International Standards Organization (ISO) publishes a “family” of standards documents for information security, numbered ISO 27000 through 27016. For simplicity, we will shorten that to the “ISO 2700x” standards. These standards define internationally agreed-upon best practices for implementing an information security program. In the language of ISO, this is called an Information Security Management System (ISMS).
The ISMS is a collection of people, processes, and technologies used to meet ISO 27001 compliance. It is not a specific technology or application, but rather a systematic way of managing information security efforts.
There are two ISO 2700x standards that formally define requirements: ISO 27001 and 27006.
- ISO 27001 defines the actual requirements of an ISMS. This is why most people refer to ISO compliance as ISO 27001 compliance.
- ISO 27006 defines how to audit compliance with ISO 27001.
The other standards in the ISO 2700x family are guidelines. The ISO 27000 document is a general overview of the entire ISO 2700x family. This document defines terminology and the key steps for implementing an ISMS.
Why ISO 27001 Compliance?
The most common reason organizations pursue ISO compliance is at the request of a third party. Many large international companies require their business partners to establish and maintain ISO 27001 compliance as a demonstration of diligence.
The breakdown of the European Safe Harbor policy agreement and the rise of the GDPR has also accelerated interest in ISO 27001. While ISO and GDPR are two separate security standards, ISO 27001 compliance is the most direct path to alignment with GDPR. This is why many international companies are mandating ISO 27001 compliance.
However, independent of third-party demands, ISO 27001 is also an excellent framework for internal governance. Its risk-based approach as well as its flexibility result in an easily defensible security program platform.
Nevertheless, ISO 2700x, like many other frameworks, still demands a significant level of effort to fully integrate into your business.
In part two (published tomorrow) of this blog, we will discuss how to implement an ISMS, as well as how you can translate the ISO 27001 requirements into the daily operation of your business.