ISO 27001 is a set of standards for information security management systems (ISMS). Created by the International Organization for Standardization, an independent, non-governmental organization, ISO 27001 is a part of the broader ISO/IEC 27000 family, a set of standards designed to “[help] organizations keep information assets secure.” As we’ll discuss below, the 27001 specification is incredibly important for businesses. From internally auditing your security posture to externally receiving certifications, the specific points within ISO 27001 should play an active role in managing your business’ data and information security.

What is ISO 27001?

ISO 27001 provides standards for enterprises, governments, and other organizations to use and maintain their information security management systems. As the ISO defines it, an ISMS is a systematic approach to securing sensitive company information. This can be anything from financial data to intellectual property to employee details to third-party information. And although it has the word ‘system’ in it, an ISMS isn’t constrained to just technology. People and processes are an equally important part of securing information your business uses day-in and day-out.

Because the ISO is a non-governmental organization who writes general compliance principles – not how to implement them – the organization has no authority in and of itself to enforce “violations” of its standards. That said, many institutions that do have legal or regulatory authority rely on it for guidance. It has even been referred to as the “umbrella” for ISMS policies because of this fact.

Who cares?

If your business wants to comply with a specific set of industry standards, it’s highly likely that ISO 27001 plays a role – or at least has similar high-level guidance. This is the case with everything from J-SOX in Japan to the Data Protection Directive (DPP) in Europe to the Payment Card (Read more...)