regulatory compliance cartoon

First introduced in 2005, the ISO family of standards for managing information security has received more attention lately in the wake of increasing data breaches and security lapses. However, they’re still not as popular as HITRUST or SOC 2 audits, so in this post, we’ll specifically discuss ISO 27001, who it affects and what compliance means for your organization.

What is ISO 27001?

ISO 27001 is a compliance regulation such as PCI or HIPAA. There are about a dozen standards within the ISO family, but 27001 is the most common and the most pertinent for providing requirements regarding an Information Security Management System (ISMS). The ISO standards were first introduced in 2005, but were revised in 2013.

What is an ISMS?

Essentially, an ISMS is how you decide to approach protecting your sensitive data. That data may include financial records, medical information, internal employee data or other information entrusted to you by a third party. Your ISMS is not just the data itself but also the people, processes and technology around it, and includes a risk management process. The goal of the ISMS is to help organizations keep their information secure.

Do I need ISO 27001 compliance?

ISO 27001 isn’t mandated by the federal government like HIPAA or enforced by a regulated industry like PCI, but if you handle personal identifiable information (PII) or use a hosting provider that does, it’s really something you (or they) should have. An ISO certification shows you, your customers, and your board of directors that you or the hosting provider you work with takes data security very seriously.

What does an ISO 27001 audit cover?

Here are the controls you’ll be measured against:

  1. ISMS scope
  2. Information security policy
  3. Information risk assessment process
  4. Information risk treatment process
  5. Information security objectives
  6. Evidence of the competence of the people working in information security
  7. Other ISMS-related documents deemed necessary by the organization (optional?)
  8. Operational planning and control documents
  9. Results of information risk assessments
  10. Decisions regarding information risk treatment
  11. Evidence of monitoring and measurement of information security
  12. ISMS internal audit program and its results
  13. Evidence of top management reviews of ISMS
  14. Evidence of nonconformities style identified and corrective actions arising

As you can see, ISO 27001 covers information security pretty in depth. But keep in mind, the firm you choose that will audit you against these standards is offering an opinion as to whether you meet them, so be sure to pick reputable auditors who thoroughly understand the controls.

Who is involved in achieving ISO 27001 compliance?

Since ISO is a management standard, that means everyone on the management team is involved, not just the IT department. That includes the CEO, CFO, and anyone else on your team. Having the entire management team part of the process makes it much easier to apply security controls and a culture of compliance across the board, because every department is actively involved in achieving compliance.

Looking for a cloud provider with ISO 27001 compliance? We have you covered. We recently achieved certification for ISO 27001 compliance with no exceptions to our audit. Visit http://www.onlinetech.com/compliance-security/iso-27001-compliant-hosting to learn more.