What is ISO27001? What is it all about? Why should I do it? (without the jargon).
It is a very widely used international standard designed to help organisations meet the following explicit or implicit business objective:
“Help stop or deal with the consequences of bad things happening to information in the organisation.”
When we say “information” (or “data”) we mean things like names, addresses, credit card details, financial records, etc. Typically stored on IT systems or in filing cabinets.
When we say “bad things” we mean any of the following:
1) Someone gets access to information that they shouldn’t have access to. Especially people outside the company.
2) The information gets corrupted/scrambled/damaged somehow.
3) You can’t get at the information for some reason. For example, all the IT systems stop working.
To help achieve this objective ISO27001 says that you should do the following:
1) Work out what it is that you need in place across your organisation to help you achieve the above objective.
2) Then implement it/do it consistently across all the organisation.
3) On an ongoing basis check that it is all working OK across the organisation and fix it if it isn’t for some reason.
Supporting this are the following principles of ISO27001:
领英推荐
? It is about being proactive rather than reactive.
? It requires conscious and considered decision making by the right people about what needs to be done.
? It is about being in control of and knowing what is going on around the organisation with respect to meeting the objective.
? Not everything has to be perfect but you should know what is not perfect and what, if anything, you are going to do about it.
If you look at the above you can see that this is all the basic principles of how to manage anything in an organisation – not just information security.
The standard itself consists of two parts. The first part (9 pages) is a list of things it says you must do if you are “doing ISO27001”. The "clauses". Some of the things that ISO27001 insists that you do may look a bit odd to you and you may (rightly) think that they will not help you achieve the objective but you still have to do them.
The second part of ISO27001 is a list optional things ("controls") that might help you meet your objective and you choose which of these you think you need.
After you think you have “done ISO27001” you can get external companies ("certification bodies") to come and check that you have done it properly. If they agree then you get a nice certificate to hang on the wall. Well done!
People wrap this all up in lots of jargon and complexity but this is the essence of ISO27001.
That is it.
Chris
Experienced all-round Manager - Telecommunications & ICT sector, Business continuity, Information Security- and Risk management
1 年Chris hi, I find it a very easy to read (and absorb) explanation.
Security Leader, Thinker & Speaker - CISO
1 年"...this is all the basic principles of how to manage anything in an organisation – not just information security." Most important point in my opinion, managing security isn't magic, it is the same thing we do for other parts of the business.
Nice! Out of interest, I prompted ChatGPT 4 with your headline, Chris. Its response ended with a neat conclusion: "In short, ISO 27001 is about creating a strong and flexible system to protect your organization's valuable information while building trust with stakeholders and staying compliant with regulations." Despite the jargon, that's not bad. I'd add that effective information risk and security management enables the organisation to realise the value of - as awell as protect - information. Having the appropriate information security controls in place lets the organisation do stuff involving information that would otherwise be too risky. For me, it's a business enabler, facilitating good things as much as stopping bad things. [By the way, I also asked ChatGPT to "summarise iso/iec 27001: what is its purpose and how does it work?" with a far less impressive result, referring inaccurately I think to the 2005 version of the standard. That's an information integrity failure, a subtle warning about the information risks associated with prompt engineering. (Com)Posing the right questions and critically evaluating the results are important skills, a kind of information security control.]
Helping Small Business Owners Increase Turnover and Profitability by implementing ISO Management Systems. | ISO9001 | ISO27001 | ISO14001 | ISO45001 | ISO Guy | SPARK Model
1 年Thanks Chris. Great straight forward explanation