Why choose ISO 27001 over other information security frameworks?
PGI's Information Assurance Team share the top reasons why they recommend ISO 27001 to our clients.
ISO 27001 is one of the best known and most recognised internationally agreed set of standards for the specification of information security management systems (ISMS).
With so much information being stored on IT systems and on the cloud, keeping it secure has never been as important as it is right now. Clients trust any organisation they deal with to securely hold their sensitive personal and financial data but the inherent value of this data means that it has become the target of cybercriminals and, occasionally, bad actors within companies themselves.
To prove to clients, suppliers, and regulators that your business is being vigilant and responsible with sensitive and personal data, you can choose to work towards for a number of different accreditations.
While SOC2, Cyber Essentials, NIST CSF, ISF Standard of Good Practice framework, and IASME have very considerable advantages in their favour, ISO 27001 is, in our experience, the best accreditation option currently available for businesses and here’s why:
ISO 27001 requires ongoing evaluation and improvement of a company’s information security management system.
Companies in receipt of an ISO 27001 certification are expected to continually assess, test, review and measure their performance.
As well as committing to external auditing, companies integrate the following ongoing procedures into their general operations:
These reviews allow organisations to constantly question the efficiency and veracity of their controls and working practices. By doing this, they gain the information needed to fine-tune both, on an ongoing basis against emerging and existent threats.
Companies must submit to ongoing supervisory reviews (referred to as surveillance audits) over a three-year period to ensure continued compliance.
Conversely, SOC2 Type 2 has a similar requirement but over just a six-month timespan and the Type 1 certification only requires that you prove adherence at the time of a particular audit.
Although Cyber Essentials Plus requires technical verification, the standard Cyber Essentials accreditation does not. This is why the Information Commissioner’s Office (ICO) recommends ISO 27001; because it requires initial and ongoing internal and external auditing to ensure compliance.
External auditing to ISO 27001 offers companies a higher level of protection in case of a data breach meaning that any punishment or fine given by the ICO is likely to be significantly less severe.
There is just a small difference between the security control protocols set out in ISO 27001 and SOC2.
These differences are important, however. ISO 27001 is focused on developing, maintaining, and managing top-down data protection controls specific to a particular business while SOC 2 only requires adherence to one of its five Security Trust Principals (security, but not privacy, confidentiality, processing integrity or availability).
To be awarded an ISO 27001 accreditation, you must be assessed by a recognised ISO 27001-accredited certification body. For a SOC 2 accreditation, an audit must be carried out by an independent CPA (Certified Public Accountant) who will judge compliance to the standards set out by the American Institute of Certified Public Accountants (AICPA).
If you wish to trade in North America, most organisations will be happy with either certificate (except for healthcare and government departments) however, across the rest of the world and in the UK, ISO 27001 is far more widely accepted.
As part of the ISO 27001 certification process, organisations need to assemble and maintain a comprehensive inventory of its information assets.
Included in the inventory should be not only an organisation’s data but:
By having a complete picture of the information assets your organisation has, who is responsible for it, and who needs it to carry out their day-to-day and strategic roles, you know what you have to protect and you can better identify specific threats and vulnerabilities.
In comparison, the purpose of SOC2 is to prove system security levels against a set of defined criteria and principles. While organisations with SOC2 are encouraged to continually monitor and improve, it is not as great a requirement as with ISO 27001.
As the amount of data we hold increases, so will the regulations to protect these assets. The most effective way to deal with current and future requirements is to take a lead with building a risk-based approach for protecting all your important assets and adopt ISO 27001. In addition, ISO 27001 is much more widely recognised around the world than any of the other accreditations available, making any planned international expansion quicker and more cost-effective.
Over the years, we have developed a range of content with the aim of educating organisations on cyber security threats and helping them defend their assets and reputation, so for us every month is Cyber Security Awareness Month.
On 26 September, Semafor published a lengthy article written by Jay Solomon claiming that a series of Iranian-American analysts and advisors to the Biden administration had been compromised as part of a long-running Iranian influence operation.
These days, there seems to be a variety of digital technologies on the horizon that are poised to disrupt the way we live our everyday lives.