“Two fifths of large organizations have been asked by customers to comply to ISO/IEC 27001”
PwC Information Security Breaches survey, 2010


What is information security?

The information you collect, store, manage and transfer is an organizational asset.
It adds value to your business and consequently needs to be suitably protected. It may be the personal details of your customers or confidential financial data.

It can be printed or written on paper, held electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation.

Growing dependence on information systems, shared networks and distributed services like cloud computing means organizations are more now even more vulnerable to security threats.

In a recent survey by the Chartered Management Institute, 72% of businesses admitted that they were worried about the financial impact of cybercrime with 1 in 3 having experienced such attacks in 2010.

Poor supervision of staff and lack of proper authorization procedures are frequently highlighted as major causes of security incidents.

Companies vary in their approach to preventing breaches: some prohibit everything, making mundane tasks difficult; others are too lax and permit access to all by all, exposing themselves to a high degree of risk.

For a business to run efficiently they need the right balance: this is where ISO/IEC 27001, the international standards for information security management helps.

How does ISO/IEC 27001 help?

The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimising the impact of security incidents.

The Audit Commission has stated that fraud or cases of IT abuse often occur due to the absence of basic controls, with 50% of all detected frauds found by accident.

Even when organizations introduce controls (which might be policies, procedures, structures, software), these are often disorganized and disjointed. This is because they have been often been implemented in response to a specific situation or incident or simply as a matter of convention.

Robust information security is only possible when the specific security objectives of an organization are identified and then addressed. This means the organization is better able to manage their vulnerabilities.

This is the systematic framework - or information security management system (ISMS) - that ISO/IEC 27001 specifies.

In short, an effective ISMS requires that senior management:

• systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts;

• design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

• adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

“Two fifths of large organizations have been asked by customers to comply to ISO/IEC 27001”

Following the ISMS specified in ISO/IEC 27001 provides your organization with the confidence that you are following globally-agreed good practice with regard to the protection of information assets.

As an auditable standard it also helps users to win new business and provides assurance in supply chain management.

According to the 2010 PwC Information Security Breaches survey, “two-fifths of large organisations have been asked by their customers to comply” to ISO/IEC 27001, which - the report states - is “increasingly becoming the lingua franca of information security”.

BSI’s own research supports this, with 87% of organisations implementing ISO/IEC 27001 confirming that the standard had ‘positive’ or ‘very positive’ outcomes, including an increased ability to respond to tenders.

ISO/IEC 27001 has also been designed so it can be integrated with other management system standards - such as ISO 9001 – saving users’ time and duplicating work.

 Your basket
Your basket is empty