ISO/IEC 27001 is the international standard for information security management systems. It was developed from the British Standard BS 7799-2 published by the British Standards Institution (the world’s oldest standards development body) and was announced on 14 October 2005. In Poland, ISO 27001 was published on 4 January 2007, the latest edition is ISO/IEC 27001:2022 – published by the International Organisation for Standardisation on 25 October 2022.
Areas affecting information security in a company
The ISO 27001 standard distinguishes fourteen areas affecting information security in an organisation:
- security policy,
- organisation of information security,
- human resources security,
- asset management,
- access control,
- cryptography,
- physical and environmental security,
- secure operations,
- secure communications,
- systems acquisition, development and maintenance,
- vendor relations,
- information security incident management,
- security aspects of business continuity management,
- compliance with legal requirements and own standards.
The fact that an organisation has an ISO 27001 certificate proves to a great extent, among other things, that the above-mentioned areas are organised, periodically audited and, if necessary, improved. The proper management of the information security system is one of the fundamental factors influencing the optimal and effective functioning of companies in this area.
ISO 27001 requirements
An organisation wishing to achieve or maintain ISO 27001 certification must meet the following requirements:
- systematically assessing the organisation’s information security risks (considering threats, vulnerabilities and the consequences of the emergence of potential threats);
- planning and implementing a consistent and comprehensive information security control system to address threats that are considered unacceptable to the organisation;
- implementing a governance process to ensure that information security controls meet the organisation’s information security needs on an ongoing basis.
Companies or institutions that are willing and able to meet the requirements of this standard must therefore be proactive and continually evaluate procedures and solutions to protect confidential data.
ISO 27001 – mandatory or voluntary in the IT industry?
It is worth noting that the implementation of ISO 27001 is voluntary in organisations, regardless of the type of business or industry. Many companies, however, choose to obtain certification (and subsequent recertification audits). Why is this important and beneficial for them? The regulations of the standard set out the requirements in the previously mentioned areas affecting information security. For a huge number of entities, especially those operating in strategic sectors of the economy that process sensitive data – having an ISO 27001 certificate is, in a way, a guarantee that the company with which they want to cooperate meets security standards at an international level. It furthermore demonstrates a commitment to information security to third parties and stakeholders. For many companies and institutions, this is an essential factor in establishing relationships between entities, such as those entering into contracts with each other. Importantly, the reference to the standard by the contracting parties saves time when detailing and clarifying the requirements for the performance/acceptance of the service.
In summary – the implementation of ISO 27001 is not mandatory, but practice shows that, in many cases, it opens certain doors or significantly facilitates cooperation with customers – especially in an era when the number of cyber-attacks has been increasing for several years. It also undoubtedly helps to maintain very good relationships, based on attention to quality and security. It is not without reason that having ISO 27001 certification is often referred to by managers as the ‘passport to business’.
Putting security first
The difficult situation on the global geopolitical arena, the increasing number of hacking attacks and other crimes in the area of cyber security makes it necessary for companies and institutions to implement all possible measures to ensure security in the broad sense, including information security. Polcom’s ISO 27001 certification is one proof that the company complies with international standards in this area.
Comprehensive supervision of data processing processes, cyclical risk analysis, improvement of procedures in the information security management system, as well as solutions in the area of technical infrastructure of our data centres are aimed at ensuring 100% confidentiality, integrity and availability of data entrusted by our clients. We continuously work to ensure security and quality at the highest level.