Chapter 19. Is ISO 27001 for You?

Executive summary

Unless you’re a relatively small organization or, as an organization, you do not use information or information technology, ISO 27001 is an appropriate standard for you to deploy to safeguard your IT infrastructure investments, protect your competitive position and ensure you comply with current and future national and international laws and regulations.

Do you have information that you rely on or which needs to be kept confidential?

If you do, you need to have a structured approach to protecting it against multiple external and internal threats; such an approach requires a mix of technology and procedure, as well as informed and well-trained computer users. The standard contains best practice guidelines on how to achieve this.

Do you collect personal information (eg from customers or employees)?

If you do, you need a structured approach to storing and protecting that information in a way that ensures that your organization is in compliance with a myriad of often conflicting international laws and regulations. The standard contains best practice guidelines on how to achieve this.

Does your business rely on information technology for its daily activities?

If it does, you need a structured approach to ensuring that your systems continue operating without interruption and that your fall-back plans in case of disaster are thoroughly tested and dependable. The standard contains best practice guidelines on how to achieve this.

Do your customers, suppliers or partners need confidence in your information handling and privacy protection measures?

External certification of your information security management system can provide customers, partners and suppliers with the confidence to move forward in dealing with you, knowing that you maintain secure information systems.

Can you afford reputation damage, commercial and punitive losses, business interruption and loss or corruption of confidential information?

Probably not.

If your answers to the first four questions are ‘Yes’ and to the last is ‘No’, then you need to deploy a structured information security management system, and as soon as possible. The question that remains is: ‘Is ISO 27001 the answer?’

Is ISO 27001 the answer?

The answer depends on the size and complexity of the organization, and the commercial drivers. In practical terms, if you employ fewer than 25 people, ISO 27001 is only likely to be appropriate if you there are specific commercial reasons for pursuing it: you operate in a high risk environment (eg financial services), there is a customer requirement (eg service desk outsourcing services) or some other mandate (eg government or funding requirements). Unless these reasons apply, you will probably be better off pursuing a less complex but relatively practical solution such as the Infosec Basics for Business[22] or even, if you are a very small or home-based business, applying the Internet Highway Code[23].


[22] An information security management system for SMEs that is described in A Business Guide to Information Security by Alan Calder, published by Kogan Page in association with the IOD in October 2005.

[23] Internet Highway Code, by Alan Calder, published by IT Governance Publishing, March 2005.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.24.60