Standards can be useful only if the employees that get affected by the implementation of a standard, embrace it in the day to day operations. It is important to engage the employees in the new processes so that they do not consider them as extra work, but rather as something that can potentially make processes more automated and easier to track.
ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organisations that meet the requirements may be certified by an accredited certification body following successful completion of an audit
|SWOT Analysis for
|Strengths• Information security: Helps your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
• Internationally recognised and validated: It is internationally recognised and verified and validated by thousands of security professionals and participating countries
• Providing requirements for an information security management system (ISMS).
• Scalability: It can be scaled to fit small or large organizations with one or multiple sites in any sector.
• Enables interoperability: Allows certified organisations to be able to exchange and manage shared data (e.g. within the Cloud) with some degree of confidence.
• Brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.
|Weaknesses• Doesn’t issue certificates and isn’t involved in the certification process
• Adoption cost and effort: The adoption, certification and recertification costs and efforts (e.g. man hours needed to produce the documentation,
• Does not ensure the effectiveness of measures implemented but only their existence.
|Opportunities• Add credibility, by demonstrating that a product or service meets the expectations of your customers. For some industries, certification is a legal or contractual requirement.
• Regulators and governments count on ISO standards to help develop better regulation, knowing they have a sound basis thanks to the involvement of globally-established experts.
• Cloud Security relies on the standard, so there is opportunity for wider adoption.
• Can be used to implement lean management given it can be applied to any kind of information (physical assets, data protection, intellectual property, etc.)
|Threats• Registrars are allowed to play both the role of the auditor and implementation consultant creating a conflict of interest
• Misconception that compliance means 100% security. Some organisations are under the misconception that compliance to the standard would make them experience no security breaches.
• Risk of over-regulation by introducing too many regulations calling for the same thing (e.g. HIPAA, Data Protection, PIPEDA, PIPA, FOIPPA, etc.)
• More and more business look at certification as a marketing tool only
• Increased competition from other standards: Examples are the ones driven by individual countries (e.g. UK's CESG standard), which are seen by some organizations as easier to implement.