More and more organizations are looking for guidance on implementing and certifying to ISO 27001. But what exactly is ISO 27001? What does it require? Many clients with an IT or technical background expect a list of security controls – architecture to implement, processes to follow, and tools to use. However, ISO 27001 is different.
The Standard details the requirements for an ISMS (information security management system), and rather than simply being a how-to guide, its focus is the management of information security. Although the Standard’s 114 Annex A controls, and the implementation guidance found in ISO 27002, can help create a secure foundation for a “defense in depth” approach to security, the actual clauses of ISO 27001 (i.e. the requirements that you are audited against when pursuing certification) are slightly different.
ISO 27001 solves two major issues that organizations face:
- Principal/agent problem (agency dilemma)
The principal/agent dilemma is a problem in game theory, behavioral economics, agency law, management, and governance. When one person takes actions on behalf of another person (or organization), a disconnect may occur. For example, in most organizations the employees who tackle day-to-day tasks are different from the owners or shareholders who ultimately hold financial liability for those actions. How, then, does senior management ensure that all employees are taking suitable steps to perform their duties appropriately? To put it another way – how does senior management ensure that employees are doing what they are supposed to do?
- Threat evolution
Since threats, including cyber attacks, are constantly evolving, improving or even maintaining security at any organization can be difficult, especially in the middle of other changes, such as new personnel. Usually, security infrastructure is created on an ad hoc basis according to whoever is in charge, or whatever application is currently favored.
Policies and procedures ensure an organization has a set of standard operational processes that can be repeated over time and constantly improved. To that end, ISO 27001 requires consideration for your business. Documenting what is in place, or what is required, to protect the organization’s information assets means all employees follow the same guidelines. Continual review means a process can be updated when required, and ensures resilience as staff, technology, threats, the business, and the regulatory environment change. By adapting processes to the ISMS as it evolves, rather than slapping them together to suit the needs of the moment, the system can be managed in the long term.
How IT Governance USA can help
If your CEO now wants to implement ISO 27001, but seeks assistance, our team of experts can help. Click below to speak to one of us today to get your implementation project started!