The legal and regulatory requirements for information security are becoming more complex. Companies want to keep their data secure from threats and attacks. To demonstrate to partners, suppliers and customers that companies are tackling these issues, a certification is becoming increasingly more important.
The ISO 27001 certification is an information security framework that helps maintain an Information Security Management System (ISMS), and attests companies’ endeavours towards a successful implementation of information security.
Obtaining the certification, however, is a complex process. Expert in the field, Andreas Wisler, explains the procedure, its importance, and what companies need to do to get the ISO 27001 certification.
1. When a company decides to obtain the ISO 27001 certification, what are the prerequisites it needs to comply with first?
Andreas Wisler: The first step requires the identification of the company’s own processes. These are assigned a criticality level, for example: low, medium, high. The second step consists of naming and allocating assets, such as servers, networks, patents, ideas, clients, etc., to the processes. These are attributed with the highest level of criticality. The third step is to apply a risk analysis to the medium and high urgency-labelled processes. This leads to a set of precise measures that need to be taken.
2. How can a company make sure that security of information is prioritised and implemented on an ongoing basis?
Andreas Wisler: The standard requires backup from the management team that is explicitly asked to provide the necessary assets - people, time, budget, and other resources. At least once a year, the management must undergo a management review. This ensures that the information security has the significance and attention it deserves.
3. What is the most important lesson young companies like Sherpany need to understand while in the process of obtaining the ISO/IEC 27001 certification?
Andreas Wisler: Security is an ongoing process. It is not enough to just do something once. Requirements are in a constant state of flux. Therefore, the information security needs to be regularly adjusted to new conditions and changing circumstances. This guarantees that data and information are handled in a more secure way.