What is ISO 27001

According to the International Organization for Standardization, ISO 27001 is the world's best-known standard for Information Security Management Systems (ISMS). As of 2021 just under 60,000 businesses worldwide were certified to the standard. The most recent version was published in October 2022.

As with other ISO management system standards, ISO 27001 adopts a risk-based approach to planning, thereby ensuring optimal levels of information security and a workforce that understands how best to protect and manage your information assets.

Organizations gain a number of different benefits when setting up an ISO 27001 system. These typically include:

To learn more about ISO 27001, why it's considered necessary, and the sort of outcomes an organization can expect after having implemented the standard, we'll take a look at a couple of case studies published by the British Standards Institution (BSI).

Thames Security Shredding

Our first case study will examine Essex-based Thames Security Shredding (TSS Ltd), a company specializing in the collection and destruction of confidential documents. The market for secure document shredding has grown in recent years (because of the UK's Data Protection Act and the rise of identity theft), a niche that TSS Ltd inhabits while striving to deliver a flexible service that offers the best possible information security.

The company's implementation project began with an information risk assessment to identify how TSS Ltd managed its information security risks. This assessment revealed several gaps in the company's existing system and highlighted areas for improvement (such as a need for better documented and structured processes).

Another important step involved customizing the risk assessment methodology to TSS Ltd's needs. In this context, customization meant ensuring that staff could understand and adhere to the methodology, thereby creating an efficient ISMS capable of driving continuous improvement.

The project was a great success. Supported by strong leadership, motivated staff, and a commitment to ISO 27001, TSS Ltd's implementation project culminated in certification just four months after it began. Since then attitudes among staff and their awareness of information security have continued to improve. Documentation is regularly updated and all security incidents are recorded and dealt with appropriately.

Certification to ISO 27001 provides a compelling demonstration of our commitment to managing information security at an international level of best practice. The certification is clearly conferring a competitive advantage and we have won new business as a result.

Thames Security Shredding

Fredrickson International

The second study involves Fredrickson International, a UK-based debt collection agency.

Much of Fredrickson's work involves the analysis and storage of sensitive information. Information security is crucial. The debt collection industry is subject to rigorous regulatory inspection, so Fredrickson needed an ISMS that could achieve regulatory compliance, satisfy external auditors, and provide additional assurance to involved parties that it treats the security of personal information as a matter of paramount importance.

Fredrickson's bid for ISO 27001 certification kicked off with a gap analysis and a company-wide drive to raise awareness of the project and foster understanding of its benefits. Staff training was also arranged. The project was a success: Fredrickson achieved certification, and both customers and the general public can now have full trust in how the company stores and manages their personal information.

Who Can Implement ISO 27001?

ISO 27001 is suitable for all organizations, regardless of size, sector or location. The standard is especially suited to highly-regulated industries where data security and integrity are crucial. Examples include IT industries, private and public health, insurance, banking and finance.

If you've decided that ISO 27001 is right for your organization but aren't sure what to do next, BSI offers some useful tips to help you get started.

Conclusion

ISO 27001 is the world's most-recognized standard for an Information Security Management System. Certification to the standard engenders not only a strong trust in the organization, it assures customers and suppliers that best practices are being adhered to and staff awareness of security is considered paramount.