What Is ISO 27001 and How It Helped Us Prioritize Information Security

What is ISO 27001?

ISO 27001 is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.

ISO 27001 was developed to help organizations, of any size or industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).

In a nutshell, an ISMS is a set of rules that a company needs to establish in order to identify risks, define controls to handle risks, set clear objectives on what needs to be achieved regarding Information Security, implement controls and risk treatment methods, continuously measure if implemented controls are done as expected and make continuous improvements to make ISMS work better.

The defined rules, controls, and measurements are written down in the form of policies, procedures, and other types of internal documents.

Why is ISO 27001 important?

The standard itself is leading the companies that implement it with the necessary know-how for protecting their most valuable possession: data. Having the standard correctly implemented, and thus receiving the certification, has helped all of us within Maxcode to learn and protect our most important asset, data, while giving our clients the peace of mind that we, as partners, are up to the task of safeguarding their data in the right way.

In the end, our Information Security certification SR EN ISO/IEC 27001:2018 guarantees to our clients that Maxcode is knowledgeable and implements strict requirements in the field of Information Security with emphasis specifically on confidentiality, integrity, and availability of protected data.

What are the ISO 27001 Requirements?

ISO 27001 contains a very thorough list of requirements defined in its clauses.

These requirements must be implemented in an organisation in order to become compliant with the standard, and are to be implemented only if they are applicable according to the declarations within the Statement of Applicability:

• Organization, context and its needs defined in order to identify and write the ISMS scope
• Leadership, roles, responsibilities and authorities are defined to clearly emphasise the importance of having Information Security supported by management
• Planning of actions to address risks and opportunities. Documenting how to handle risk is essential for running of a successful ISMS
• Internal support by offering an adequate level of resources into the establishment, implementation, maintenance and continual improvements of the ISMS
• Operational planning and control of controls and actions to address risks and opportunities. Actions that are written as part of the Statement of Applicability need to be listed and explained, even if one is deemed to be not applicable to the organization and therefore is not relevant
• Monitoring and measurements in order to evaluate how the ISMS is performing and looking for effectiveness of the ISMS
• Corrective actions are to be taken to address Information Security nonconformities

How to Become ISO 27001 Certified

Once organizations have prepared all the necessary documentation, they must contact an accredited certification body that has mandate to recognize certifications against national variants of ISO 27001.

The ISO 27001 certification usually involves a multi-stage audit conducted by a certification body:

• preliminary audit – an internal, informal, review of the ISMS, checking documents and completeness of key documents defined in the standard. This stage is made to check all documents are in place and also familiarize the auditors with the organization and it can be considered as a preliminary screening process
• initial audit – or stage 1, a formal compliance audit testing the ISMS against the requirements from ISO 27001. The auditors are looking for evidence, or proof, to confirm that the ISMS has been properly designed and implemented and is in operation correctly. The process takes around 3 – 5 days with the outcome being a report of preliminary failures, if any. Any corrective actions are noted and are to be implemented and checked on the next ongoing audits
• ongoing audits – or stage 2, also known as compliance audits, are follow-up reviews are conducted to confirm that the organization remains in compliance with the standard and the ISMS is operating effectively and consistently

It usually takes around 6 – 12 months, depending on the scope, size and complexity of the ISMS, to get to be ISO 27001 certified.

How the adoption of an ISMS has helped us

Having an ISMS brings about immediate benefits, and this was obviously something we have taken into account when we decided to implement this standard.

• First of all, it helps refine the processes within an organization. As a growing company, the need to define our processes and procedures so that employees know what’s to be done, when and by whom is essential. ISO 27001 encourages companies to write down processes and procedures so that they can be utilized by all employees in the same way. Thus, by implementing the same processes and procedures, we function like a well-oiled machine, we become better organized and, as a result, more successful.
• Secondly, it helps the company stand out of the crowd, in a positive way. For example, in our line of business, mainly with financial institutions and healthcare companies, there is a strong need to create and maintain a competitive advantage. By showing to our clients that we are certified, and thus utilizing the standard correctly and efficiently, we get more exposure and trust from the market. Taking into account that the finance and healthcare are among the most regulated industries, we automatically ensure the same rigors and we are able to handle any other type of data challenges for companies involved in other industries. Moreover, financial and healthcare ecosystems are not shy of having strict legal requirements. The sheer number of laws, regulations, contractual requirements, etc. are easily complied with by using the standard with clear guidelines on what needs to be managed and how.

• Last but not least, it saves money. Cost is a benefit that comes by implementing ISMS due to the fact that there is a strong emphasis on prevention. Every possible incident costs money, so if we spend accurate time designing prevention techniques and we implement them, we see that the company saves money in the long run.

What you need to keep in mind

The focus of ISO 27001 is to protect confidentiality, integrity, and availability of information in a company. This is done by defining strict controls and procedures written in the Statement of Applicability. The controls are practices to be implemented to reduce risks to acceptable levels. The controls cover a wide array such as technical, organizational, legal, physical, human, etc.

There is also strong emphasis on Risk Assessment and Risk Treatment Methodology that guide the company in managing these risks before they actually happen. One other key document that is part of the standard is our Business Continuity plan, that defines the responses of the company on major items that might impact the business.

As of November 2019, Maxcode is fully compliant with the SR EN ISO/IEC 27001:2018 standard as being audited and certified by an authorized certification body. If you are curious about our journey or want to have a chat on the advantages of working with a company that is ISO 27001 compliant, drop us a line.