Let’s get one thing clear about ISO 27001 - it’s not all about computers.
Now, it’s true to say that in this day and age most organisations store the bulk of their information digitally - but by no means all of it. Look around your own work place and you will be surprised how much is still kept in paper files and even in people’s brains! The way we manage this data, wherever it is stored, is all covered by the ISO 27001 standard.
Think about it. How many people in your organisation store files on their computer desktop or ‘My Documents’? Or on USB sticks in their drawer? Do you have control of that? Is it secured? And how many carry notebooks or scraps of paper?
An Information Security Management System such as ISO 27001 is intended to help you keep your information secure. It’s a framework of policies and procedures that puts you in control of the way your organisation stores and manages data. It facilitates the assessment of risk and implementation of safeguards.
One thing I find when auditing against ISO 27001 is that even the slickest organisations who are the furthest down the road in terms of reliance upon IT for storage of data are often very poor at understanding exactly what they have, how important it is and how to control it.
The reality is that for the most part people choose to control what is easy to control: automation and computerised IT is a lot easier to “buy” and sounds a lot more exciting than “well trained staff”. However, even today people are often the weakest part of any system.
ISO 27001 gives you a structure: risk assessments, treatment plans, good practice on ideal controls, understanding of the context, the needs of interested parties etc. that helps focus the system to what you really need and not just what you think you need.
So, who needs it? Well, any organisation with information - that would mean just about anyone, really. But those whose business is primarily IT based, those in the health sector (handling people’s sensitive, personal health record), the Government and Public sector and those working for large image conscious clients tend to be most interested in ISO 27001. It’s increasingly a requirement of doing business in these sectors - you can’t tender for work without it.
The popularity of ISO 27001 is now spreading beyond these sectors. At ISOQAR, we have recently observed organisations including those doing secure destruction, body guarding companies, those providing taxi services for children in care, witnesses attending court or people going to health appointments.
It’s often said that an organisation’s people are its most important asset. I still believe this, but an organisation’s information is a close second.
This article was originally published on the Alcumus Group Blog, written by Tom Martin-Ball