ISO 27001 – is it the magic bullet for technology companies?
ISO 27001 certification is an internationally recognized standard which encompasses both the physical and logical aspects of information security. The standard is highly applicable to providers of IT oriented services and ensures appropriate protection of the information security assets that are important to your organization and to your customers.
An Information Security Management System – ISMS reduces critical security risks of organizations’ informational assets and makes a framework to protect those assets. It sets standard for handling of Confidentiality, Integrity and Availability of Informational Assets.
The complaint is that people are being regulated out of their profit margins. We have to deal with HIPAA, Sarbanes-Oxley, we have to deal with Safe Harbor if we deal with European companies, we have PCI DSS, and people say this is just onerous. They’re right, but if you go about dealing with all this in silos, you will fail. You will never be truly compliant and be subject to legal liabilities down the road for representing controls that really aren’t in place as being in place. ISO 27001 has a way of satisfying compliance requirements on all these various statutes and regulations with just minor adjustments. It can help you comply with Safe Harbor, PCI DSS, CSF, SOC 1 &2, SOX, and GLBA etc. You build it once and comply many times and it can save millions of dollars and improve the security and control environment around your business.
The difficulty providers have is that we as consumers aren’t good at explaining what we want and need. One thing ISO 27001 can do is force us to be clearer and say, ‘I need these kinds of features and I need them to be a certain way.’
“When you run through the processes for ISO 27001, you are forced to look at everything you do from a slightly different angle, exposing weaknesses you’d never dreamt of.”
“We entered into the certification process thinking that nothing would change, but it has and for the better. In a highly technical business, it’s easy to say that we understand a particular process intimately, particularly when we have senior people who are highly technical. We were surprised by how many small details are so easy to miss but vitally important.”
“There is nothing exceptionally difficult, it’s just very detailed. You may even need to make major changes which means you are going to need commitment from the top of your organization and be open to change. Changes we have made include migrating services to two new data centers; our existing suppliers were not accredited.”