What is ISO 27001 and why is it important?

You may have noticed this badge when browsing the Unified Software website – it’s the ISO/IEC 27001 Certification badge, and it means that Unified’s security meets ISO certification standards.

So what is ISO 27001?

ISO/IEC 27001 is an international set of standards for managing information security. ISO stands for International Organisation for Standardisation and IEC stands for International Electrotechnical Commission. Organisations that meet the standard requirements can apply to be certified by an accredited certification body, and if they pass the audit they can display the ISO certification badge on their site.

What are the ISO 27001 standards?

As a broad summary, the ISO/IEC 27001 requirements are:

• That management examines and documents any possible information security risks and threats, and examines any possible impacts
• The organisation must have a comprehensive information security management system (ISMS) in place, as well as any other risk avoidance measures necessary to address risks
• The organisation must continually assess and re-assess its ISMS to ensure that security needs are being met on an ongoing basis

These procedures must be proved to the certification body via a collection of records and documentation, as specified by the ISO. For example, all of the organisation’s security controls must be listed in a document called the Statement of Applicability, and plans for the event of a security breach must be outlined in an Incident Management Procedure document.

Why is ISO important?

Almost all companies have at least some security controls, but these can be disorganised and differ from company to company, meaning that the customer can’t be sure what exact security measures are being taken with their data. ISO certification solves this problem, by providing an organised list of standards that a company can compare themselves with to make sure they’re doing all they can, and so customers can see specifically how their privacy is being taken seriously. It’s an international standard, so it’s recognised all around the world.

Another benefit to achieving ISO certification is saving money. The main aim of ISO 27001 is to prevent security incidents from happening, and security breaches are expensive to fix. The cost of meeting ISO requirements is much smaller than the cost of dealing with such problems.

ISO/IEC certification is not obligatory for IT companies to adhere to – it’s more accurate to think of it as the gold standard, for those companies that want to go above and beyond with protecting their customer data.

If you see the red ISO badge on a technology supplier’s website, you can be confident that the company is taking their data privacy very seriously. That’s why it’s important for us at Unified Software to be ISO certified – we pride ourselves on fully safeguarding our customer data.