We’ve noticed a new trend in recent years. International information management standards and risk assessment procedures are being more readily adopted by companies here in the United States. Why should national brands make the effort to comply with ISMS regulations developed for international breadth?
“ISO reports a 78% year-on-year increase in US-based ISO 27001 certifications,” according to IT Governance USA.
There are some solid reasons that are supporting this strategic decision. The advantages of an ISO 27001 certification is just as salient for U.S. businesses as they are for international corporations.
Growing U.S. Compliance with International Standards Outlined by ISO
In the past five years, we have noted a significant increase in the number of American-based organizations seeking ISO certification. And we aren’t the only ones in the industry to spot this trend. According to a survey by the International Organization for Standardization (ISO), more U.S. companies are obtaining certification each year.
Though ISO 27001 was developed as an international standard, more and more companies operating in the U.S. are recognizing its benefits. Certifying the strength of one’s information security management system has proven to be a valuable undertaking for companies in industries such as IT, transportation, communications, and healthcare.
Why Would a Company Want to Be ISO Certified?
None of the ISO standards are mandatory for U.S. businesses. So, you may be wondering what the=e advantages are. Because it is an international best-practice standard for information security, there are some clear results that would make it worth the effort. For starters, ISO certification shows your clients, investors, employees, trustees, third parties, and other stakeholders that you take information security seriously.
Learn more about the Advantages of ISO Certification.
The International Organization for Standardization (ISO), along with the International Electrotechnical Commission (IEC), has developed a family of standards set to protect information assets. The ISO/IEC 27000 series is a full suite of standards specifically designed to keep help businesses keep data assets secure as more and more people and businesses become a part of the technological framework.
This comprehensive industry-respected family of standards can help your IT team in their efforts to manage the security of assets associated with employee details and human resources, financial information, intellectual property and trade secrets, and any information placed in your care by third parties.
What Does It Mean to Be ISO Certified?
ISO 27001 may be the best known of the more than one-dozen ISO family of standards, ISO 27002 can be useful as a reference for selecting security controls in line with ISO 27001. It’s important to note that ISO 27001 is a certification process, but organizations cannot achieve certification for ISO 27002.
Achieving and maintaining the appropriate ISO standard certification may help your team land new exciting new business accounts, based on this certification alone. In a time where information has become its own currency, every above-and-beyond step you take to ensure security is likely to be rewarded with trust.
Let’s take a closer look at each ISO/IEC standard to help you determine which standard may best serve your organization’s goals in protecting valuable data resources.
ISO 27001 is the international standard that lays out the details and best practices for an organization’s ISMS, which is critical to preventing controls from becoming disjointed and disorganized.
Often designed and implemented as temporary stop-gaps—or point solutions—for specific situations, an organization’s controls can quickly and easily take on a random—or even chaotic—existence within a system without an effective ISMS. And of course, “random” and “chaotic” are not terms you want to apply to your information system’s security controls.
ISO 27001 can be adopted by and implemented in any type of organization, in any sector, including the following:
- Profit or non-profit,
- Governmental at federal, state, and local levels,
- Private firms of any size – small, medium, or global.
Composed by the world’s top experts in information security, ISO 27001 offers a thorough methodology for the application and fulfillment of ISMS in an organization. The standard also allows companies to become certified, which confirms that your organization is fully compliant with the ISO 27001 standard. Generally, ISO 27001 certification helps prevent data breaches and system infiltrations, makes compliance with other industry regulations easier, and is a recognizable security attestation.
It may help you to see a sample ISMS that aligns with the ISO 27001 standard. Take a look at the following sample ISMS strategy to see if it may help you determine whether ISO 27001 is right for your company:
1. Determine the Scope of Your Organization’s ISMS.
Determining what your organization’s ISMS will ultimately contain and cover is the first step in eliminating any semblance of chaos in your system. The scope focuses on dependencies and interfaces. Dependencies are essentially outside of the organization; they include third-party services for accounting, cleaning, and legal support. Once dependencies are identified and eliminated, you can focus on interfaces. Interfaces include all endpoints within your network, such as the router, and high-level interfaces like employees, processes, and technology.
2. Perform a Risk Assessment of the Areas within the Scope of the ISMS.
Pinpointing your system’s risks and vulnerabilities is a crucial step in designing your ISMS and becoming ISO 27001 certified.
3. Create Policies and Procedures for ISMS and ISO 27001 Compliance.
Once you define the scope, your system’s controls, and the risks within your system, create a set of policies and procedures to help your team maintain compliance and avert threats.
4. Assign Responsibilities for ISMS Design and ISO 27001 Compliance.
Your ISMS team should be comprised of dedicated staff who understand the system’s risks and vulnerabilities. They will work to minimize those risks, using the set policies and procedures—based on ISO 27001 best practices—as a guide. Your information security manager, or some similarly titled position, will serve as the point person for maintaining a smooth-running ISMS.
5. Conduct Regular Audits.
Internal and external audits can help ensure that your team is on track for ISO 27001 compliance. Auditing firms extend a seal or certification proving that an organization has maintained an effective ISMS for that period and is in compliance with the ISO 27001 standard.
ISO 27002 serves as a guideline for organizational information security standards and best practices for information security management. Taking into consideration the business’s information security risk environments, ISO 27002 focuses on the organization’s selection, implementation, and management of controls. It is meant to be used as a guide, based on ISO 27001, for identifying appropriate security controls within the process of implementing an ISMS.
Ultimately, while ISO 27002 is more of a guideline to achieving best practices and has subtle differences to ISO 27001, it also serves to demonstrate the stability of your organization’s ISMS. The main difference is that ISO 27002 does not distinguish between controls applicable to your particular organization, and those which are not. ISO 27002 is a reference for selecting security controls, rather than a certification process.
The latest version of the ISO 27002 covers 114 controls over 14 sections:
- Information Security Policy
- Organization of Information Security
- Human Resources Security
- Asset Management
- Access Control
- Physical and Environmental Security
- Operations Security
- Communications Security
- Information Systems Acquisition, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity
Take a look at a few examples of what some of the codes may encompass in your control environment:
Physical and Environmental Security
Here, you may consider factors like physical access to the network infrastructure, a list of staff who has access to the system, and a log of visitors to the physical work site.
Human Resource Security
Human resource security helps prevent bringing people into the facility who do not have the best intentions. A few ways to maintain human resource security is to screen candidates before hiring and to require all employees to sign a binding agreement drafted to protect the confidentiality of data assets.
If you still need some guidance, our ISO team at I.S. Partners, LLC. can help you sort it out. Call our office or request a quote here.