ISO 27001 – The International Cyber Security Standard

ISO 27001 (part of the ISO 27000 family of standards) is the best-practice specification for an Information Security Management System (ISMS), and sets out specific requirements by which an organisation’s ISMS can be audited and certified.

The Survey of Management System Standard Certifications conducted in 2012 by ISO states that South Africa saw a significant increase (55%) in the number of ISO 27001 certifications between 2009 and 2012. However, the number of companies certified is still very low (22 in 2012, one of which is a South Africa-owned IT company).

In the South African Cyber Threat Barometer 2012/13 conducted by Wolfpack, respondents said that the top three potential cyber threats in South Africa have been blocked access, economic fraud and propagations of malware through mobile devices. The survey also states that the information assets most often targeted are log-on credentials including PINs, banking information, and personal identifiable information.

Phishing is the most common attack method used, targeting most sectors in South Africa, followed by inadequate control and abuse of system privileges. Malicious software is third on the list and has been leveraged for both espionage and infrastructure attacks.

If you’re new to ISO 27001 we recommend downloading our green paper, which provides an introduction to Information Security and ISO 27001. Enter your email address below and we'll send it to you straight away.

More in-depth information can also be found in these titles below:

 

Changes to ISO 27001

ISO 27001 was published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). The new standard, ISO27001:2013, was published on 25 September 2013 and is available at IT Governance. This standard replaces the previous version, ISO/ IEC 27001:2005.

The most important changes in this standard are:

  • The Plan-Do-Check-Act (PDCA) model is no longer a requirement for ISO 27001:2013 and organisations can apply any form of continual improvement method.
  • Organisations required to use specific process models (e.g. COBIT, ITIL etc.) have reduced barriers to entry.
  • There are changes to the structure of the standard.
  • ISO 27001:2013 is designed to better integrate with other ISO/IEC standards. Terms and definitions are standardised across the ISO 27000 family.
  • The standard is more flexible in general.
  • The ISO 31000 risk assessment link ties information security risk management into corporate risk management approaches.
  • The roles of board and management/leadership are clearly delineated.
 

ISO 27001 benefits:

ISO 27001 provides companies with the assurance that they are protected from risks and threats which could lead to asset loss, financial impact and reputational damage. The standard also helps to develop and strengthen information security best practice.

Benefits of ISO 27001 certification include:

  • winning and retaining business opportunities;
  • protecting and enhancing your reputation;
  • building trust (internally and externally);
  • demonstrating compliance;
  • satisfying audit requirements;
  • improving efficiency;
  • identifying vulnerabilities (new ‘unknowns’).

IT Governance SA has a range of ISO 27001 and information security training courses, which are led by experts in the ISO 27001 field, and provide comprehensive information on specified areas. We can offer help in finding appropriate hotels close to the training venue. Alternatively, we also offer in-house training, anywhere in the world.

The ISO 27001 training courses we offer are:

Read more information about our training courses.

 

Achieving ISO 27001 Certification

Achieving ISO 27001 can be a complex and time-consuming project. The documentation necessary to create a compliant ISMS can be up to 1,000 pages and there is a lot of learning to get the documentation formulae and processes working effectively. This takes up a lot of time, resources and has significant management implications.

The South African National Accreditation System (SANAS) is recognised as the only South African body responsible for carrying out accreditations in respect of conformity assessment in South Africa. This includes accreditation of conformity assessment, calibration and good laboratory practice, and ensures an internally recognised accreditation system.

Achieving ISO 27001 certification can be simplified. There are a number of toolkits available that provide all the pre-written documents you need, which can be tailored to your organisation’s requirements. These toolkits are often cheaper than one day’s consultancy fee and enable you to become your own expert.

We recommend the Standalone ISO 27001 ISMS Documentation Toolkit, which provides all the policies, procedures, templates and guidance to keep you in line with the ISO 27001 standard.

See our comprehensive range of information, books and tools for achieving ISO 27001 certification.

 

You may also be interested in: