What Is ISO/IEC 27001 in Information Security?

Consistency is vastly underrated. Long before ISO 27001, the ISO itself, time zones, and even the metric system, agreed-upon standards were used to work towards common goals and accomplish more than we ever thought possible. The ways we measure time, distance, and the world around us would be impossible to articulate were it not for the humble standard.

“Standards bring people into alignment, and people that are aligned have been able to do the impossible.” - Lucas Szymanowski, Director of Information Security and GRC at Wrike

You might’ve assumed that ISO 27001 was a granular piece of IT jargon. But there’s more to it: It belongs to an organization and broader socioeconomic movement that’s been driving society towards greater collaboration and innovation worldwide since the 1940s.

What is ISO?

The International Organization for Standardization, or ISO, is an independent agency that sets standards for goods and services. These standards can be as narrow as the sizing of rail gauges or as broad as the proper way to make tea, but every ISO standard is put into place with the intention of increasing consistency in global industry.

ISO was founded in 1946 and has since created tens of thousands of standards that address a wide variety of manufacturing and technology-related products, services, and processes. Modern contemporaries of ISO standards include GDPR in Europe and HACCP in food safety standardization.

Notable ISO standards include those in information security (like ISO 27001), environmental management, social responsibility, and logistics.

Why are ISO standards important?

ISO standards are the unsung heroes that help simplify a complex and oftentimes incompatible world. One of their most significant impacts on world commerce has been the establishment of ISO/TC 104, which standardizes the dimensions and specifications of freight shipping containers.

Before containerization, global trade moved at a snail’s pace. Misshapen boxes and abnormal cargo created logistical nightmares if, say, bundles of English cotton were transported onto French ships, over German railways, and into Baltic stores. A lack of transportation standardization caused significant waste in shipping times and labor.

With the establishment of ISO/TC 104 and other freight standards in the 1960s, cargo ships began hauling exclusively 20-foot containers, culminating in an estimated savings of 75% in global shipping costs. We might take global standardization for granted today, but international consistency in freight is considered one of the most influential inventions in history.

The International Organization for Standardization has continued to provide consistency and value in the digital economy with its inclusion of information security standards starting in 2005.

What is an ISMS?

An ISMS is an information security management system, a methodology that ensures a high level of information security through defined processes and best practices. Within the context of ISO, you can think of ISMS as a standard for responsible security practices.

Now that you have an understanding of both the ISO and ISMS, let’s dive into the fundamentals of the ISO 27001 certification.

ISO 27001, explained

According to the International Organization for Standardization, ISO/IEC 27001 is a standardized ISMS certification created to ensure a high level of information security in technology products, services, and processes.

Try to think of ISO 27001 as your typical ISO standard: Just as uniform freight containers helped to connect worldwide shipping, uniform information security can help integrate our digital world with a strong and secure foundation.

While the ultimate goal of ISO 27001 is to protect data, many of its core elements extend beyond digital protection and include structural and organizational guidelines. ISO 20071 takes a holistic approach to information security to reduce the risk of personnel error in security breaches.

Lucas Szymanowski, Director of Information Security and GRC at Wrike, adds, “ISO 27001 defines, on an international level, the baseline for how we protect customer data, manage information security processes, and guarantee protection and security.”

What are the benefits of ISO 27001?

In 2018, the data of over 1 billion people was exposed in a handful of large-scale security breaches. An ISO 27001 certification is a seal of approval saying that your organization is compliant with information security best practices and fortified against potential threats.

Similarly, an organization is only as strong as its weakest link. Teams that invest in ISO 27001-certified tools work with greater confidence knowing that their data integrity is sound.

For example, the University of Tampa underwent ISO 27001 certification in 2015 and has since experienced the following benefits:

A decrease in the number of phishing-related incidents
Increased data protection capabilities
Promotion of a security-aware culture

What_IS_ISO_27001_02 — Source: TUVRheinland

The key elements of ISO 27001

While ISO 27001 doesn’t include any concrete benchmarks, Annex A of the standard offers a checklist of 114 controls in 14 clauses and 35 control categories. ISO 27001 certification requires evaluation and consideration of the following:

Information security policies: These policies include controls related to access, encryption, and system maintenance.
Operational & communications policies: These policies address IT management and network security.
Physical, environmental, human resources security: These policies focus on organizational and structural challenges in protecting data.
Compliance: These policies determine compliance with laws and regulations related to ISO 27001.

How do I get ISO 27001 certified?

While the International Organization for Standardization does establish standards, it does not certify them. They instead rely on certification bodies to conduct audits and issue official certification.

Once you’ve prepared, implemented, and analyzed your ISO 27001 policies, you should research the right certification body. Here’s further reading on how to choose a certification body.

Consistency and security in the digital age

Hopefully, you’ve learned a thing or two about ISO, ISO 27001, and the value of a connected and standardized world. As we navigate our new digital age, it’s crucial that we balance transparency and privacy to allow workers to do their best work ever.

Wrike is proudly ISO/IEC 27001:2013 certified, furthering our commitment to the security of customer data. Want to learn more about Wrike’s security standards? Visit wrike.com/security.

Leadership 10 min read

Think Security Breaches Are the Biggest Threat to Your Company? Think Again.

Security breaches aren't the only threat to the enterprise. There’s another, more subtle danger that may have an equal impact and longer-lasting consequences.

Project Management 7 min read

Raising the Security Bar in Collaborative Work Management

Hardly a day goes by that we don’t hear about a new security breach. 2018 saw a total of 1,244 reported data breaches in the U.S., according to a recent report by nonprofit Identity Theft Resource Center and security and privacy services firm CyberScout. While this number was down from 2017’s all-time high of more than 1,600 breaches, the number of compromised records exposing sensitive, personally identifiable information (PII) skyrocketed by 126%. This doesn’t even include the 1.26 billion non-sensitive records that were also exposed. As more data is created and business increasingly plays out in the online digital space, data breaches will only get more severe. Balancing security and flexibility in the cloud In an effort to maintain control and avoid these data disasters, some enterprises are still often reluctant to adopt third-party cloud applications, opting for on-premises solutions instead. As a result, they’re missing out on rapid, innovative cloud solutions to challenges like scalability, software updates, mobile connectivity, etc. In an age of mobile devices, remote workers, always-on customers, and lightning-speed innovation, cloud software is no longer optional if you want to remain competitive — even for the most conservative enterprises and industries. And while fast-paced, adaptable SMBs usually have far less stringent security requirements compared to enterprises, companies of all sizes should be equally concerned with today’s heightened security risks. The good news is that security and flexibility don’t have to be at odds with one another. Once companies accept that maintaining security is a constant and ever-evolving practice, they can take the steps necessary to protect their data, guard against the risks of today, and anticipate the threats of tomorrow. This point of view is why Wrike has always been at the forefront of collaborative work management security. Data protection has continued to be a core priority for us as we continue to grow our enterprise customer base and expand into new markets and industry verticals. Securing the collaborative work management space More than 250,000 organizations have adopted a collaborative work management solution. And while many vendors’ focus has been on solving problems like low productivity, poor collaboration, and broken workflows, addressing security needs that are unique to the enterprise — like considering how data is managed at scale — should also be a primary goal. Wrike refuses to merely meet the industry-standard minimum requirements for security in the enterprise. Security has always been one of our core pillars, and we’ve continuously pushed ourselves to solve more than just collaboration or work management challenges. Bare minimums won’t fly in the enterprise, nor are they good enough for being the digital workplace that companies trust with their invaluable data. We understand the best collaborative work management solutions solve for convenience and transparency in addition to control and security. Our customers want to be transparent and collaborative, while also being protected, whether that is from external or internal threats, accidental or malicious. That’s why we strive to keep this dichotomy in mind when developing new features or products for the Wrike platform, including the features I’m excited to announce today. Introducing Wrike’s new enterprise-grade security features The Wrike security strategy includes a comprehensive approach across five categories: physical, network, system, application, and people. Our latest platform security features include: Wrike Lock is an add-on feature that allows customers to own and manage the keys to their encrypted Wrike data, giving them data access control and audit capabilities even though their data is in the cloud. CASB integration support allows customers to use the CASB offering of their choice to enforce enterprise security policies on their Wrike data, enabling them to easily spot unusual user activity and better protect data stored in the cloud. Customized Access Roles better ensure privacy and content integrity by enabling customers to create roles with unique permission sets in order to satisfy varied access and sharing requirements. Access Reports enable customers to quickly and easily see which users have access to folders, projects, and tasks, as well as any tasks with attachments that external guest users have been invited to review. Selective sharing allows customers to make it so that folders and projects do not follow the default of inheriting sharing settings from parent folders or projects, giving greater access control over specific subfolders and subprojects. The new sharing interface makes it easier and more intuitive for users to modify sharing settings, better enabling and encouraging them to take greater control of access to work in Wrike. The new antivirus feature will scan files for viruses prior to being uploaded to Wrike, which will enhance the security of users’ devices by mitigating the risk of uploading or downloading infected files from Wrike. This feature will be available in 2H 2019. Wrike has also just completed the ISO 27001:2013 certification from BSI (British Standards Institution). The ISO/IEC 27001:2013 certification demonstrates that Wrike has a complete end-to-end security framework and a risk-based approach to managing information security, and illustrates Wrike’s commitment to a mature and robust security strategy. ISO/IEC 27001 is the most highly regarded and only internationally recognized standard for the establishment and certification of an information security management system (ISMS). It provides a set of requirements for an ISMS, establishing a systematic, risk-management-based approach to people, processes, and IT systems in order to protect sensitive company information. Raising the bar In today’s digital world, the moment you believe you’re secure is the moment you open yourself to an attack or breach. This is true regardless of your company’s size. Wrike’s ISO certification, Wrike Lock add-on, and all of our new and upcoming security features demonstrate our commitment to making Wrike the most secure collaborative work management platform on the market. As security threats evolve and the stakes get higher with every breach, Wrike will continue to invest in the security of our services and push the industry standard for collaborative work management. To learn more about Wrike’s Security practices, please visit our security page. And for more information about today’s announcement, read our press release.

Leadership 3 min read

Where Automation Helps and Where It Hurts (Video)

Since the invention of the assembly line, we’ve been obsessed with automation and its virtually limitless applications. But what should we automate, and what’s better off left alone?

For Teams

Use cases

Apps & Integrations

Explore Wrike

Learn and connect

Become Wrike Pro

What Is ISO/IEC 27001 in Information Security?