Security is not just about computers. It encompasses all areas, operations and divisions of any company. It really starts at the entry point to the building.
And so forth. Those are a series of basic questions, by no means exhaustive that any company should address.
The answer to all these questions is to set up an information security management system (ISMS) that will protect the company’s assets. Having an ISMS will help prevent sensitive information from being damaged or destroyed, and will make sure it doesn’t fall into the wrong hands.
An ISMS is a set of policies, procedures and controls that protect the integrity, confidentiality and accessibility of a company’s sensitive data. It encompasses processes, data and technology as well as employee behaviour. When enforced comprehensively, it is bound to become part of the company’s culture.
Only the effective implementation of an ISMS, meaning integrating information management into the company culture and training employees to comply with it, will provide a high degree of protection from data breaches.
The joint technical committee on information established by IEC and ISO, ISO/IEC JTC 1, through one of its subcommittees, SC 27, published ISO/IEC 27001, Information technology - Security techniques - Information security management systems - Requirements.
The international standard specifies requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organization, as well as the assessment and treatment of information security risks tailored to the organization’s needs. The requirements are generic and intended to be applicable to all organizations, regardless of type, size or nature. It makes recommendations regarding leadership, commitment and policies, as well as actions, to address risks and opportunities. It also covers support matters such as resources, competence, awareness, communication, operational planning and control, information security risk assessment and issues including treatment and performance.
ISO/IEC 27001 goes further than cyber security and covers how an organization manages the security of information it holds, both for its own operations and from external sources, such as suppliers, customers, etc.
ISO/IEC 27001 also addresses threats that come from deliberate cyber attacks.
There are many benefits in using the holistic approach of ISO/IEC 27001: compliance with national and/or regional regulations; resilience and better response to cyber threats; reduced costs through a centrally-managed system that gets rid of multiple and ineffective procedures; well-informed employees aware of their security responsibilities.
By achieving certification to ISO/IEC 27001, an organization demonstrates to its stakeholders and customers that it is committed to managing information and securely. In short, the company can be trusted.
While certification to ISO/IEC 27001 has existed since the standard was published in 2013, it is only recently that IECQ, the IEC Quality Assessment System for Electronic Components, has set up a true single standardized way of assessing and certifying an ISMS to ISO/IEC 27001.
The ever-growing need for organizations to provide independent proof of compliance with ISO/IEC 27001 for their ISMS has led industry to request that IECQ certification bodies (CBs) be able to cover the assessment and certification to ISO/IEC 27001 under the approved process scheme (AP scheme) while conducting other IECQ assessments, for example avionics or hazardous substance process management.
What drove industry to approach IECQ recently was the lack of harmonization among the many certification bodies that offer their own individual certificates and apply their own individual interpretations of ISO/IEC 27001. Over time, this has resulted, in different approaches and differences, in what is accepted by the various certification bodies. Thus, industry felt that IECQ was able to offer a single approach to the application of ISO/IEC 27001. All certificates can be found on the IECQ website.