Before embarking on ISO27000 let’s start with what ISO standards are all about.
Born of the Second World War and the ‘Space Race’ ISO standards were conceived to ensure conformity and a minimum standard for products and services – products in particular. This would allow differing countries, cultures and businesses to interact and trade more efficiently, safe in the knowledge that so long as a specific ISO standard was applied – products and services would be to the specified minimum standard.
Because “International Organization for Standardisation” would have different acronyms in different languages (“IOS” in English, “OIN” in French for Organisation internationale de normalisation), its founders decided to give it a short, all-purpose name. They chose “ISO”, derived from the Greek isos, meaning “equal”.
Between 1947 and the present day, ISO has published more than 16 500 International Standards, ranging from standards for activities such as agriculture and construction, through mechanical engineering, to medical devices and information security.
ISO is a network of the national standards institutes of 163 countries, one member per country, with a Central Secretariat in Geneva, Switzerland. ISO standards are regulated in the UK by a governmental body called UKAS – United Kingdom Accreditation Service. If you don’t see the UKAS tick box and crown, don’t trust that the organisation is formally registerd.
If you didn’t know already the ISO 27000 family of standards relate to Information Security Management and specifically an Information Security Management System (ISMS).
An ISMS is: a board approved, high level information security policy describing how different types of risk relating to an organisations information assets are to be treated and identifies a set of controls (responses to/countermeasures for) that respond to each of the identified risks.
This standard, for the most part, is broken down into:
ISO 27001; which dictates how an ISMS should work not what should be in it (16 specified sections outlining how the ISMS should work).
ISO 27002; which dictates what should be in the ISMS, not how it should work (133 controls that should be in the ISMS).
As with ISO 9001, certification is performed by third-party organisations and those certified to be in conformance with ISO 27001 may publicly state that they are “ISO 27001 certified” or “ISO 27001 accredited”.
ISO 27002 compliance may be demonstrated by producing a ‘Statement of Applicability’ that specifies how the 133 controls dictated within the 27002 standard have been applied. Including any that have not – with justification for why they have not been employed.
So what does this give organisations, suppliers and consumers? Well at the end of the day it is all about confidence.
Thanks to ISO type standards NASA were able to confidently assemble spacecraft made of components from not just the US but from across the world and be sure that they would act as they were meant to within the demanding role of allowing a vessel to escape Earth’s gravitational pull.
NASA were able to procure components from suitably accredited suppliers safe in the knowledge that certain minimum standards had been met. This saved valuable time and money and allowed for an unprecedented level of concurrent activity without jeopardising safety.
It is this confidence that users of an ISO27002 compliant and/or ISO 27001 accredited partner can be assured of in relation to their information security. The standards demand the use of an ISMS to ensure that:
- Information assets are identified.
- Risk to these assets is assessed in relation to likelihood and impact of specific threats and vulnerabilities.
- Where a level of assessed risk to an asset is not acceptable, controls are implemented to reduce such risk (the 133 controls dictated by ISO27002).
- These assessments and controls are frequently audited internally and externally to ensure security and best practice.
- Action is taken to address any non conformances or short falls identified.
Such an approach ensures that you may be confident that your information is in safe hands and this is why more and more organisations insist on the ISO27001 accreditation from partners who may be handling their sensitive data. ISO27001 provides them with the confidence that you are not only providing that security now but that thanks to the use of an ISMS you will be ensuring that security on an ongoing basis and have that security independently verified.
The case for partnering with a hosting partner who can provide such confidence in relation to the security of your information and data is more critical than ever before – make sure your service provider can demonstrate their ISMS.