ISO/IEC 27001 – the Information Security Management System Standard

What is ISO 27001?

ISO 27001 is the international standard for information security management systems (ISMSs). The Standard can help organisations achieve all of their regulatory compliance objectives concerning data privacy and information security.

Certification to ISO 27001 is increasingly seen as a powerful assurance to your customers and business partners of your commitment to meet your obligations.

What are the benefits of being ISO 27001 compliant?

• Legal compliance: An ISO 27001-certificated information security management system (ISMS) can help your organisation to meet the requirements of various data protection laws around the world, such as HIPAA, FISMA, the UK Data Protection Act 1998 and the EU Data Protection Regulation.
• Demonstrates information security best practice: An ISO 27001 certification will cost a fraction of an ISAE 3402 and SSAE 16 audit, and demonstrates the existence of advanced security processes and procedures.
• Maintain customer loyalty/win contracts: Certification to ISO 27001 means that your organisation is committed to the security of its information, and can help you achieve a competitive advantage over your competitors, building stakeholder trust and customer loyalty.
• Continual improvement: The certification process helps the whole organisation focus on continuously improving its information security processes.

Avoid the costs incurred with a data breach: Certification to ISO 27001 is the benchmark for effective management of information and data security, allowing your organisation to avoid the losses that accompany non-compliance with data protection requirements.

Your organisation is not always protected by technical security measures

Technical security measures (such as firewalls, antivirus and other processes) and checklists have a limited ability to protect a complete information system.

ISO 27001 provides the specification for an information security management system and sets out guidelines for optimal information security management.

An ISMS presents a holistic approach to information security, providing protection on three levels: people, processes and technology.

ISO 27001 and risk assessments

The risk assessment is at the heart of effective information security management.

The risk assessment is a crucial element of establishing an ISMS, identifying the relevant risks so that appropriate responses can be implemented to deal with those risks.

Many companies use ISO 27001 as the ‘gold standard’ for designing a comprehensive set of security controls. An ISMS based on ISO 27001 demonstrates the extent to which cyber and information risks are effectively being controlled.

Find out more about ISO 27001 risk assessments by downloading our free green paper.

How to conduct an ISO 27001 risk assessment

1. Choose the appropriate risk assessment methodology
   • Select criteria and ‘rules’
2. Conduct the risk assessment
   • identify assets, threats, vulnerabilities (or risks)
3. Define the estimated impact and likelihood of the risks
4. Select the appropriate risk response
   • treat (by applying controls)
   • transfer
   • tolerate
   • terminate
5. Draw reports
   • including the Statement of Applicability and the risk treatment plan
6. Monitor, review and communicate

How Vigilant Software can help

	vsRisk Cloud Find out how vsRisk Cloud can help speed up and simplify the risk assessment process.
	Compliance Manager Manage your information security and data protection requirements with Compliance Manager.