ISO is an independent international organization based in Geneva, Switzerland; the International Electrotechnical Commission (IEC) is its standardization partner. ISO/IEC 27001’s main function is to protect three aspects of information: confidentiality, integrity, and availability.
ISO/IEC 27001 was developed to help organizations, regardless of size, sector, or country, protect their information in a systematic and cost-effective way by adopting an ISMS—a set of policies, procedures, processes, and systems that manage information risks.
ISO/IEC 27001 certification is globally recognized as a benchmark of effective information asset management. Organizations that are ISO/IEC 27001certified go through a series of audits to demonstrate that they are fully compliant with its best practices for keeping confidential information secure. Benefits of achieving ISO/IEC 27001certification include:
- Satisfying different commercial, contractual, and legal regulatory requirements, such as Sarbanes Oxley Act (SOX), NIST CSF, and the GDPR, as compliance with 27001 means selecting and implementing the same security controls these regulatory bodies require.
- Gaining a competitive advantage for winning new business and retaining customers; certification proves the organization has taken the steps to protect data confidentiality, integrity, and availability.
ISO/IEC 27001 released a new version in October 2022 designed to address growing global cybersecurity challenges and improve digital trust. It specifies requirements for how an organization can establish, implement, maintain, and continually improve its ISMS and includes guidance on how organizations can assess and treat their specific information security risks.
ISO/IEC 27002 is not a certification; it is a set of guidelines that provide information security controls designed for organizations to use:
- When implementing 27001
- When implementing information security controls
- For creating organization-specific information security management guidelines
ISO/IEC 27002 was updated in October 2022 to correspond to the new 27001 release.
ISO/IEC 27002 organizes controls into 14 main groups, and in keeping with the last bullet, above, it’s a good idea for organizations to first undergo a risk assessment to identify the most important controls for them to implement.
- A.5 Information security policies
- A.6 Organization of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
We want to hear from you!
To start a conversation with one of our experts, give us a call or Request a Consultation.
We look forward to speaking with you about your goals and unique needs.