Understanding ISO Compliance

Though globalization has opened up new markets and avenues for businesses to grow and expand, it has also increased security risks manifold. In this age,as companies and organizations depend largely on technology to carry out their various business activities, their greatest risk would definitely be information security risks.  Hence, it necessitates the need for a code of practice or set of standards in place to effectively manage the privacy, integrity and accessibility of information assets and thereby reduce information security vulnerabilities. The International Organization for Standardization (ISO)and the International Electrotechnical Commission (IEC) hope to achieve this with the promulgation of ISO/IEC 27000-series also known as the ISMS Family of Standards or simply ISO 27K series.

ISO is the world’s largest non-governmental, voluntary organization for developing and publishing universal industrial and commercial standards while IEC is a non-governmental, non-profit organization preparing and publishing international standards for all electronic, electric and related technologies. These organizations have come together to help companies and organizations in having an overall management and control framework to deal with information security risks.

Today it has become imperative that companies and organizations must achieve ISO compliance particularly ISO 27001 and ISO 27002 if they want to minimize information security risks. Those companies that do not comply with ISO 27001 and ISO 27002 compliance guidelines would have to face severe consequences such as financial losses, harsh penalties, loss of brand reputation, lossand loss of investor confidence and so on.Let’ look at the two standards in detailbrief.

ISO/IEC 27001
An Information Security Management System (ISMS) standard published in 2005, it details the requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system for managing an organization’s information security risks.As per this standard, the company management must

  • Assess the information security risks, vulnerabilities, threats and impacts systematically
  • Deploy sound and comprehensive information security controls to address the information security risks  effectively
  • Ensure that the implemented information security controls continue to meet the security needs of the company

ISO/IEC 27002
It is a code of practice for initiating, implementing and maintaining an information security management system. In its introduction it states “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it should always be appropriately protected.”  The ISO 27002 consists of 12 sections with each section specifying the information security controls and its objectives.

Though ISO/IEC 27001 and ISO/IEC 27002 are two different standards, they are always used together.Though compliance to ISO 27001 and 27002 is a complicated process, companies and enterprises can achieve it through ISO compliance management software easily, quickly and accurately.

Read on – IT Compliance

Processing your request, Please wait....

Leave a Reply