What is ISO 27001?
ISO 27001 is an international standard that collects requirements for the creation and development of an information security management system. ISO 27001 certification is especially relevant for large companies, but recently it began to be required from small companies at the stage of contract negotiation
Why ISO 27001 is important:
It’s time to protect your information. According to the data provided by the InfoWatch analytical center, in 2016, 1,556 cases were registered (only made public in the media, and this figure is one-hundredth of the total number of such incidents) of confidential information leaks. Compared to last year, the number of leaks increased by 3.4%.
In 2016, in 36% of cases, the sources of information leaks were real (33.9%) or former (2.1%) employees of the enterprises themselves. In more than 2% of incidents, the fault of employees holding managerial positions (top management, heads of departments, and divisions) and system administrators were recorded. The percentage of leaks that occurred on the side of contractors whose personnel had legal access to protected information was 6%.
Most often, data leaks occurred from medical institutions (25.8%), least often – in the field of industry and logistics (3.9%). In terms of the volume of compromised records, the first place belongs to companies in the IT sector, primarily large Internet services and online trading platforms. They account for almost 3/4 (73.6%) of the total data volume in 2016. A considerable part fell on trading companies, hotels, and restaurants – 11.9%. Government agencies and municipal institutions account for 9.9% of the total volume of discredited data.
Distribution of the number of leaks and the volume of compromised personal data by industry:
The statistics described above explains why today the issue of ensuring information security is one of the most relevant not only in the field of information technology and in the banking industry, where information security has always been at the forefront, but also in many other sectors of the economy. These dynamic systems require regular security analysis and immediate elimination of detected security threats. Providing comprehensive information protection 24/7 is not an easy task for most large corporations.
- ISO 27001 – the basic platform for information security
To protect the information, the industry-standard ISO 27001 Certification has been developed, which contains the world’s best practices and can be applied by companies of all types of activities and sizes. When used properly, the system effectively manages and protects the company’s valuable data, assets, and information minimizes exposure to risks (such as payment breaches and attempted hacks) and provides customers and stakeholders with the confidence that the company is managing these risks.
- What are the reasons for the interest in one of the most famous standards from the ISO family?
First, it is logical that with such rapid growth in the number of companies in the IT sector, there is a lot of competition for orders for software development. ISO 27001 certification is one of the ways to show a potential client that you are competent in the industry and willing to work with serious customers. The ISMS shows that you care about both the protection of your information and that of the client.
Secondly, the requirement for an ISO 27001 certificate in tenders is now far from uncommon. Organizations often suffer from security breaches and, as a result, they suffer serious losses, and larger companies are very strict about this aspect: they themselves undergo certification and put forward requirements to their suppliers. Every now and then in tenders, such conditions appear from financial organizations, retail trade enterprises, the banking sector, and government agencies. In cases where an organization does not meet these standards, it simply will not be able to participate and, accordingly, win the tender. Small companies, first of all, think about how to spend less, and large companies – how to earn more!
Thirdly, no one has canceled the protection of information from leaks and cyber attacks in the organization, especially at this moment when viruses are getting stronger (for example, the attack committed on May 12 this year. Link: https://meduza.io/feature/ 2017/05/12 / po-vsemu-miru-rasprostranyaetsya-virus-vymogatel-v-rossii-zarazheny-megafon-i-mvd-po-menshey-mere). You can’t buy company security! But you can buy the necessary equipment on the basis of which it will be possible to implement a security policy. Certification is proof of the security of your and customer information. It is easier to implement an ISMS now than to restore your reputation later after the leak of important information.
Fourthly, the “ace in the sleeve” in the form of ISO 27001 certification will allow the company to attract large foreign and domestic investors who will see that your system is transparent and works at the proper global level. Stronger in the struggle for investors and customers will be the one who is ready to constantly develop and offer what the market demands and a little more!
- How difficult is the certification process?
It is almost impossible to say in advance. In general, it can be argued that the implementation of the ISO 27001 standard is a rather long process, the duration of which is determined by many reasons: the initial state of information security at the enterprise, the desire of management and personnel for changes, the number of processes in the company, the presence of other implemented standards (for example, ISO 9001 ). It is impossible to say with good accuracy the average time for implementing a standard and passing certification because there are a lot of factors on which it will directly depend.