Consistency is vastly underrated. Long before ISO 27001, the ISO itself, time zones, and even the metric system, agreed-upon standards were used to work towards common goals and accomplish more than we ever thought possible. The ways we measure time, distance, and the world around us would be impossible to articulate were it not for the humble standard.
“Standards bring people into alignment, and people that are aligned have been able to do the impossible.” - Lucas Szymanowski, Director of Information Security and GRC at Wrike
You might’ve assumed that ISO 27001 was a granular piece of IT jargon. But there’s more to it: It belongs to an organization and broader socioeconomic movement that’s been driving society towards greater collaboration and innovation worldwide since the 1940s.
What is ISO?
The International Organization for Standardization, or ISO, is an independent agency that sets standards for goods and services. These standards can be as narrow as the sizing of rail gauges or as broad as the proper way to make tea, but every ISO standard is put into place with the intention of increasing consistency in global industry.
ISO was founded in 1946 and has since created tens of thousands of standards that address a wide variety of manufacturing and technology-related products, services, and processes. Modern contemporaries of ISO standards include GDPR in Europe and HACCP in food safety standardization.
Notable ISO standards include those in information security (like ISO 27001), environmental management, social responsibility, and logistics.
Why are ISO standards important?
ISO standards are the unsung heroes that help simplify a complex and oftentimes incompatible world. One of their most significant impacts on world commerce has been the establishment of ISO/TC 104, which standardizes the dimensions and specifications of freight shipping containers.
Before containerization, global trade moved at a snail’s pace. Misshapen boxes and abnormal cargo created logistical nightmares if, say, bundles of English cotton were transported onto French ships, over German railways, and into Baltic stores. A lack of transportation standardization caused significant waste in shipping times and labor.
With the establishment of ISO/TC 104 and other freight standards in the 1960s, cargo ships began hauling exclusively 20-foot containers, culminating in an estimated savings of 75% in global shipping costs. We might take global standardization for granted today, but international consistency in freight is considered one of the most influential inventions in history.
The International Organization for Standardization has continued to provide consistency and value in the digital economy with its inclusion of information security standards starting in 2005.
What is an ISMS?
An ISMS is an information security management system, a methodology that ensures a high level of information security through defined processes and best practices. Within the context of ISO, you can think of ISMS as a standard for responsible security practices.
Now that you have an understanding of both the ISO and ISMS, let’s dive into the fundamentals of the ISO 27001 certification.
ISO 27001, explained
According to the International Organization for Standardization, ISO/IEC 27001 is a standardized ISMS certification created to ensure a high level of information security in technology products, services, and processes.
Try to think of ISO 27001 as your typical ISO standard: Just as uniform freight containers helped to connect worldwide shipping, uniform information security can help integrate our digital world with a strong and secure foundation.
While the ultimate goal of ISO 27001 is to protect data, many of its core elements extend beyond digital protection and include structural and organizational guidelines. ISO 20071 takes a holistic approach to information security to reduce the risk of personnel error in security breaches.
Lucas Szymanowski, Director of Information Security and GRC at Wrike, adds, “ISO 27001 defines, on an international level, the baseline for how we protect customer data, manage information security processes, and guarantee protection and security.”
What are the benefits of ISO 27001?
In 2018, the data of over 1 billion people was exposed in a handful of large-scale security breaches. An ISO 27001 certification is a seal of approval saying that your organization is compliant with information security best practices and fortified against potential threats.
Similarly, an organization is only as strong as its weakest link. Teams that invest in ISO 27001-certified tools work with greater confidence knowing that their data integrity is sound.
For example, the University of Tampa underwent ISO 27001 certification in 2015 and has since experienced the following benefits:
- A decrease in the number of phishing-related incidents
- Increased data protection capabilities
- Promotion of a security-aware culture
The key elements of ISO 27001
While ISO 27001 doesn’t include any concrete benchmarks, Annex A of the standard offers a checklist of 114 controls in 14 clauses and 35 control categories. ISO 27001 certification requires evaluation and consideration of the following:
- Information security policies: These policies include controls related to access, encryption, and system maintenance.
- Operational & communications policies: These policies address IT management and network security.
- Physical, environmental, human resources security: These policies focus on organizational and structural challenges in protecting data.
- Compliance: These policies determine compliance with laws and regulations related to ISO 27001.
How do I get ISO 27001 certified?
While the International Organization for Standardization does establish standards, it does not certify them. They instead rely on certification bodies to conduct audits and issue official certification.
Once you’ve prepared, implemented, and analyzed your ISO 27001 policies, you should research the right certification body. Here’s further reading on how to choose a certification body.
Consistency and security in the digital age
Hopefully, you’ve learned a thing or two about ISO, ISO 27001, and the value of a connected and standardized world. As we navigate our new digital age, it’s crucial that we balance transparency and privacy to allow workers to do their best work ever.