ISO 27001:2017 "Information technology – Security techniques – Information security management systems – Requirements" is an international standard published by the International Organization for Standardization (ISO).
What is the difference between ISO 27001 and ISO 27002?
ISO 27002:2017 "Information technology – Security techniques – Code of practice for information security controls" is a supporting document that provides guidance on information security controls and best practices that can be implemented to help mitigate risks identified by the risk assessment performed with the aid of ISO 27001. Many organizations use the list of controls in Annex A of ISO 27001 to ensure that they are using best practices to provide an adequate level of information security. However, it is better to use your own independent risk assessment to determine which controls are relevant, as some of the controls listed in the standard may not be applicable to your organization, while others may be needed. Furthermore, it is better not to use Annex A alone, as ISO 27002 provides additional guidance on how to implement the listed controls.
Note that ISO 27002, unlike ISO 27001, does not contain requirements that, when met, lead to certification. It is therefore not possible to be certified to ISO 27002, only ISO 27001.
What is ISO 27001 for?
ISO 27001 provides a standardized approach to security management in a proactive manner, applicable by defining the information to be managed and analyzing the risks to its security. With this objective in mind, the standard is definitely the best approach that can be applied.
How does ISO 27001 work?
ISO 27001:2017 prescribes the use of an information security management system consisting of a standardized set of policies, processes, and procedures to enable you to define what information needs to be protected, what types of protection are needed, and what mitigation actions can be taken to address any identified risks. In essence, your management system outlines the company's approach to managing information security.
A fundamental requirement of ISO 27001 is to ensure that certain processes are in place to ensure effective and proactive information security management and continuous improvement of the management system. The requirements contained in the standard are divided into seven chapters covering the context of the organization, leadership, planning, support, operation, performance evaluation, and continuous improvement.
Why is ISO 27001 important?
There are many ways in which an organization can be harmed by a failure to protect its information, and the consequences can be potentially catastrophic. In Europe, among other things, the failure to protect the personal data of individuals with whom the company interacts could result in a fine under the General Data Protection Regulation. If, moreover, the lack of information protection becomes public knowledge, it could also lead to negative publicity for the company, resulting in significant damage to its reputation.
Implementing an information security management system based on ISO 27001 helps organizations identify where the greatest risks lie and address them in an appropriate manner to reduce the likelihood of significant impacts occurring. This approach will reassure stakeholders that information security risk is being managed effectively.
What is ISO 27001 certification?
In order to provide further reassurance to stakeholders and, in particular, to customers, it is also possible to apply for ISO 27001 certification, a process in which, following an assessment of your information security management system by an accredited certification body, you will be able to provide proof that your way of doing things meets the requirements of the standard.
How long does it take to become ISO 27001 certified?
There is no single answer to this question as it depends on the size and complexity of an organization, what systems and processes are already in place, and what resources are available. However, generally, it takes 6 to 9 months for a small, low-complexity organization and up to 18 months for very complex organizations.
Is ISO 27001 certification mandatory?
There is no legal obligation to become ISO 27001 certified. Organizations choose to do so based on the benefits they get from this path. It is important to remember, however, that there may be contractual obligations relating to the protection of customer information or other stakeholders' information, and there is a growing global trend of customers requiring third-party suppliers to implement ISO 27001.