What is ISO 27001 Certification?
Back in 2005, a new series of ISO standards made an appearance on the international stage of certifications (try to suppress the image of large wads of paper assembled in a line). Organisations that were already complying with standards aimed at transparency in corporate governance were invited to step up to a new suite of standards all based on what is required to keep information assets safe.
The standard wasn’t really new in 2005. It was first published in 1995 as BS 7799, later adopted by the International Organization for Standardization (ISO) and eventually published as part of the ISO 27000 series. You’ll still find copies today with the designation “ISO/IEC 17799″.
While ISO 27001 is an up and coming standard, it doesn’t quite qualify as “popular”, at least not on the ISO organization’s home page which lists ISO 9000 (quality management) and several other standards under that heading. But the popularity of ISO 27001 depends very much on where you are. While there are only 104 certified companies in the US, there are 4,061 in Japan, 549 in the UK, 545 in India, 504 in China, and 459 in Taiwan. Go, Japan! The numbers go down from there to a number of countries with a single certification.
Who needs ISO 27001 Certification?
Sometimes entire companies will get themselves certified, but often one portion of a company; a particular business unit or product line may be certified, especially for large complex companies in which achieving overall certification would be an incredibly complex and consuming effort.
The standard places some focus on what ISO is calling an ISMS. What exactly is that? No, I’m not referring to the Institution of Silly & Meaningless Sayings, although that site could prove a very entertaining diversion. No, the ISMS that the standards refer to, the Information Security Management System, is a mix of policies and procedures along with the tools and records used to manage, monitor, and record anything that is information security relevant. They usually include a large amount of automation, but also a lot of manual procedure.
A lot of what comprises information security in companies which are not ISO 27001 certified is relevant to ISO 27001, but using an ISMS is more comprehensive and better regulated. An ISMS does not include just digital assets, but also paper (e.g., invoices, customer lists, contracts), data centers, buildings, and both on-site and off-site storage – pretty much anything that represents an information asset. An ISMS provides the means to systematically assess risks and evaluate the effectiveness of controls (those things you do to mitigate the risks).