Why Should You Choose An ISO 27001 Accredited Supplier?
8 February 2012
We’ve just been through our fourth ISO 27001 audit in order to remain certified to this important standard. It’s quite an undertaking to comply with this standard on a day-to-day level, and it certainly requires a great deal of a commitment. However, I believe that the ISO 27001 standard is essential not only for our business, but for any business. I am therefore often surprised by how many business leaders and IT managers seem to be unaware of this standard and the value that it brings.
ISO 27001 is for information security what ISO 9001 is for quality – but it’s much bigger. ISO 27001 has been established by the world’s top experts in the field of information security to provide a methodology for the implementation and management of information security in an organisation. It also enables an organisation to get accredited, which in short means that an independent certification body has confirmed that information security has been implemented in the best possible way.
ISO 27001 specifically prescribes how an organisation will manage information security through a system of information security management tools and procedures. In essence, it aims to ensure that appropriate controls and management systems are in place to protect a business and its assets, particularly around key IT security areas that include:
Confidentiality: by limiting information access and disclosure to authorised users/entities only, and by preventing access by or disclosure to unauthorised users/entities.
Integrity: by ensuring that data has not been changed inappropriately, whether by accident or deliberately, i.e. maliciously. This concept also includes “origin” or “source” integrity, i.e. ensuring a company can confirm that any data they receive has actually come from the person or entity that has been identified as the sender.
Availability: by ensuring that all key information resources are available. If one IT system is down and/or key data is lost, the entire business may be put at risk.
Businesses, and IT systems in particular, are continually under threat from old, new, known, unknown, internal and external threats. ISO 27001 focuses on identifying all risks to a business, evaluating them, and then putting in controls to mitigate them.
An ISO 27001 system is generally controlled through:
- Policies and processes
- Procedures and organisational structures
- Hardware and software
All of these different factors need to be implemented, managed and evaluated regularly to ensure the business is continually improving in relation to IT security. An external audit is an essential tool for verifying that all of these systems are in place and working effectively.
In addition to maintaining IT security, ISO 27001 can be used as a business organisational tool that can assist with:
- Risk Management
- Human Resources
- Physical Security
- Business Continuity
- Regulatory Compliance
To summarise, it makes sense to choose an IT supplier who is ISO accredited to the 27001 standard. Of course, this standard alone cannot guarantee that a supplier is hyper-secure, but businesses are still better off choosing to work with a company that is accredited, since compliance with this standard represents a fundamental and far-reaching commitment to IT security.
It is also a good idea to choose a supplier who has been ISO 27001 certified for a number of years, as it can take some time to ensure that this standard is fully embedded within all aspects of the supplier’s business.