What is ISO 27001?
How is information secured in a company? Who has access to what and when? What safeguards are in place to ensure the confidentiality, availability and integrity of information? How is the data protected? What are the risks? And how can they be minimised?
ISO/IEC 27001:2013 certification aims to answer all these questions and more. What is the purpose of precisely standard? How do you get it? We tell you everything you always wanted to know about ISO 27001 (but were afraid to ask).
ISO 27001 certification, definition
ISO/IEC 27001:2013 is a pioneering international certification for IT security established by the International Organization for Standardization (ISO).
The ISO 27001 certificate is issued by a third party certification body such as AFNOR in France. It certifies that a company has deployed a security management system (SMSI).
To achieve ISO/IEC 27001:2013 certification, organisations must follow a well-defined methodology to identify threats and minimise risks by implementing appropriate protective measures.
💡 It's all in the name!
Why this name? Firstly, because ISO is derived from the Greek "ISOs", which means equal. And secondly, because "International Organization for Standardization" would have had different acronyms in different languages (IOS in English, OIN in French), so the founders decided to give it the short form ISO. And so, whatever the country, whatever the language, ISO will always be ISO!
ISO 27001: What is it for?
ISO 27001 certification enables companies to detect, analyse and correct all risks to the organisation, its partners and customers, in the course of carrying out a commercial, contractual or other relationship. By certifying the entirety of a company's activities, you can present extremely high security standards in order to limit the risks for all your partners and customers.
Did you know? The ISO 27001 standard deals with different aspects, including :
- the involvement of management in the security processes as well as the governance of the project;
- analysis of risks and its means of control;
- the continuous improvement of the MIS as well as the audits and controls carried out;
- internal and external communication and its implications;
- human resources security;
- Asset management (materials, tools, processes, information...);
- access controls ;
- physical and environmental security;
- the use and definition of cryptographic means, both on workstations and for client data;
- security in operations, networks and developments;
- supplier management ;
- management of security incidents of all levels, business continuity and crisis management;
- the compliance of a company and all its partners with high security standards and applicable norms and laws.
What does ISO/IEC 27001 cover?
The ISO/IEC 27001 standard consists of 10 chapters and an annex. The annex consists of 114 security measures in 14 sections, covering a wide range of areas:
- information security policies
- the organisation of information security
- communications security, acquisition, development and maintenance of information systems
- information security in business continuity management or compliance
- security related to operations (e.g. backups)
- asset management
- access control, cryptography, physical and environmental security
- human resources security
💡 Going Further
Are you familiar with ISO 27701:2019? This is the privacy extension of ISO/IEC 27001.
💡 Good to know
It takes 6 to 12 months to obtain ISO 27001 certification.
What training for ISO 27001?
There are a myriad of ISO/IEC training courses. Companies like Deloitte, Lead Implementer, AFNOR, HS2, IT governance, M2i or BSI offer them, and they last about 1 week. But you don't have to take them to get certified