The International Standards Organization (ISO) created information security standards as a guide for companies to maintain a safe environment for information assets. Within this blog post we will discuss an overview of applicable ISO security standards and steps toward successful implementation by leveraging professional practices used within the internal audit function.
What Are ISO Standards?
The International Standards Organization (ISO) is an independent, non-governmental international organization. The main goal of ISO is to bring experts together to share knowledge in an effort to create relevant international standards that support process revolution and provide solutions to problems in all industries around the world.
ISO was shaped in 1946 when delegates from 25 countries met and decided to create an organization that facilitates the international integration of industry standards. Fast forward 70 years, ISO now has more than 21,000 standards and other published works that are available to companies globally in a variety of different industries such as technology, food safety, agriculture and healthcare. They provide specifications for the manufacturing of products, providing services and the use of systems to help ensure quality, safety and efficiency.
Why Use ISO Standards?
Over the years, studies have been performed to identify the benefits that are provided by ISO. Studies revealed that ISO frameworks provide a positive impact on the overall success of businesses by focusing on identifying risks and defining control objectives. Below are some examples of benefits that companies have reported after the implementation of ISO standards.
- Provides a competitive edge
- Customers take the company more seriously
- Increases credibility among the marketplace
- Increases in compliments vs complaints from customers
- Regulators speculate less
- Board’s risk mitigation plan has more structure
- Staff has a clearer understanding of their roles and responsibilities
- External audit results provide better insight on the effectiveness of business systems and processes
- CEO feels more relaxed that their business is better controlled using ISO standards
Which ISO Standard Pertains to Information Security?
The ISO security standards created to protect information assets are within the ISO 27000 family. This family consists of over a dozen topics pertaining to information assets and the implementation of specific information security standards and control objectives. This blog post will focus on the information found within ISO 27001 and ISO 27002.
In simple terms the ISMS is the accumulation of the information security framework requirements that when functioning in unison, help companies to identify and protect the information it determines to be most valuable. This ISO security standard outlines the control objectives that a company must meet, through evidential support, if its goal is to be ISO 27001 compliant.
ISO 27002, while focusing on the same control objectives, provides its audience with illustrative examples that a company can choose to implement. This ISO standard is essentially an ISO playbook created to help companies chose controls that meet the required objectives outlined in ISO 27001.
Understanding the Steps Toward ISO 27001 Compliance
The first step to creating a secure ISMS is to understand its scope within the organization. To understand the scope of the ISMS, it is imperative to consider the variables or risks, both internal and external, that may affect its ability to function properly. An example of an internal and external risk is that users (internal and external) may not understand their roles and responsibilities in safeguarding confidential information.
During this exercise, it is imperative to understand where information security requirements can originate. Generally, requirements originate from a few core areas. These include: the risk assessment, contractual agreements such as statement of works or master service agreements and finally requirements set internally to aid in the successful operation of day to day business activity.
Once requirements have been set, it is time to start choosing those controls that best fit the needs of the company.
How to Maintain ISO 27001 Compliance
The next requirement of ISO 27001 compliance is monitoring and improvement. To do this, the best professional practice is to incorporate some form of internal audit.
Utilizing internal auditors allows for a structured methodology to be implemented to test the operating effectiveness of controls in accordance with the requirements identified in the initial setup as well as those requirements identified by ISO.
The reports generated by the internal audit group should be retained and reviewed by management on a regular basis. In addition, management should be using these reports while considering any changes necessary to improve the operational effectiveness of the controls being tested.
Summary & Conclusion
ISO was created about seven decades ago in an effort to provide specifications for the manufacturing of products, providing services and the use of systems to help ensure quality, safety and efficiency across the globe. Part of this effort includes information security which is found within ISO standard 27000.
ISO security standard 27000 provides companies with the controls, guidance and checklists needed to successfully maintain a safe environment for information assets. Using these documents together provides companies with the tools needed to navigate their environment for requirements, risks and controls which together create the ISMS.
Finally, a successful ISMS requires monitoring and improvement. This is satisfied using assessments completed by internal auditors. The internal audit function should be maintaining evidence to determine the operating effectiveness of controls put in place. Furthermore, management should be involved so they understand any deficiencies and can make improvements as necessary.
Understanding the benefits of having standards such as ISO has proven to be an effective tool for businesses around the world. It is important to understand that incorporating any standards into a company should be more than just checking a box off that shows your business is in compliance with a particular standard. Using standards like these can take the success of your business to a whole new level.
Looking for more information about ISO? Check out some other blog posts completed by Linford & Company at the links below:
- What is the ISO 9000?
- SOC 2 Security vs. ISO 27001 Certification
- SAS 70/SSAE 16 vs FISAP vs ISO 27002
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.