It would be unusual for an IT company to have no controls in place to manage information security.However, this is often because tech-savvy employees know how to configure their systems securely and not necessarily because there is a structured Information Security Management System (ISMS) in place. IT companies are often good at technology but not as good at structure, policy and management systems.
Many IT service providers introduce security controls in a haphazard way. Typically, ‘point solutions’ are introduced to provide specific solutions for specific problems. Others are introduced simply as a matter of convention. Such a random approach to security policy will only address some of the aspects of IT or data security, and can leave valuable non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. The ISO/IEC 27001 standard was introduced to address these issues.
What are the Requirements of ISO 27001?
ISO/IEC 27001 specifies a formal management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates certain requirements. Organisations that claim to have adopted ISO/IEC 27001 can, therefore, be formally audited and certified as compliant with the standard.
ISO/IEC 27001 requires that the organisation’s management:
- Takes a structured approach to examining the organisation’s information security risks, which takes account of the threats, vulnerabilities, and impacts.
- Designs and implements a coherent and comprehensive set of information security controls or other forms of risk treatment (such as risk avoidance or risk transfer) to address the risks that are deemed unacceptable.
- Adopts a management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.
Why is ISO 27001 important and what business benefits does it offer IT Companies?
The business benefits of ISO 27001 certification are considerable. Not only do the standards help ensure that a business’s security risks are managed cost-effectively, but the adherence to the recognised standards sends a powerful message to customers and business partners. ISO 27001 provides structure for monitoring, reviewing, maintaining and improving a company’s information security management system and will give partner organisations and customers greater confidence when they interact with your business.
Security is high on the agenda of many of your customers and they want to deal with suppliers that can show that they take security seriously themselves. Some customers will now only deal with suppliers that are ISO 27001 certified.
The benefits of ISO 27001 for IT Companies
- ISO 27001 is the de facto international standard for Information Security Management.
- It demonstrates a clear commitment to Information Security Management to third parties and stakeholders.
- It can provide a framework to ensure the fulfilment of commercial, contractual and legal responsibilities.
- It provides a significant competitive advantage, and can effectively be a license to trade with companies in certain regulated sectors
- It provides for interoperability between organisations or groups within an organisation.
- It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.
The CIS Approach to ISO 27001 Implementation
Our approach to most ISO 27001 engagements is to initially carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This provides us with a clear picture of the areas where companies already conform to the standard, the areas where there are some controls in place but there is room for improvement and the areas where controls are missing and need to be implemented.
For some organisations, this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and implementation of suitable controls and policy documentation that will be required to meet the standard.
Helping Your Own Customers to Implement Security Standards
Working with CIS to help your own customers implement security standards including ISO 27001 can also be beneficial. It broadens the consulting services that you can offer and strengthens the relationship with your customer’s senior management. It will also generate additional IT requirements that you will be well placed to fulfil.
If you like to discuss implementing ISO 27001 in your own company or to provide assistance to one of your customers, please feel free to contact us to discuss the possibility.