ISO 27001 is an international standard that sets a framework for the establishment, implementation and maintenance of an Information Security Management System (ISMS).
Some companies make the mistake in thinking that ISO 27001 is an IT Standard but technical management is only one piece of the pie. There are actually three aspects to information security:
Many would agree that the biggest risk in information security is the human being! You can have the best physical and technical security systems in the world but if one member of staff goes home and releases confidential information about a client then BOOM, you have an information security incident! So, human behaviour, be it negligence through ignorance or deliberate disobedience can lead to an issue.
But of course, it is not all about human breaches of security. Retailer Lakeland were “subjected to a sophisticated cyber-attack using a very recently identified flaw in Java software used by the servers running the website, and indeed numerous websites around the world”. Technical systems must cope with attacks from hackers and sites need to have robust security measures in place to prevent break-in.
Data Centres that offer cloud computing services are likely to have high fences, reinforced doors, motion sensors, tailgating controls such as “man-traps”, rooms controlled with passcode access and security guards. Many data centres have certificates in ISO 9001, ISO 27001 and ISO 14001 (or ISO 50001) to manage their use of energy to minimise negative environmental impact.
Do you remember years ago, when we were told to use a strong password and we chose something like Password with a capital P?! Now of course we are forced to use passwords that are a minimum length and contain a mix of casing and characters. Some devices use fingerprinting or eye recognition. Things have moved on somewhat and will continue to do so. Organisations handling confidential or sensitive information need to keep an eye on the future and in touch with what their clients and other interested parties expect of them.
Like all ISO management system standards, ISO 27001 ISMS tells you what to do but not how to do it. If you want help in setting up an ISMS you can either consult a subject matter expert or read an ISO guideline standard such as ISO 27002 or maybe both!