17 July 2012

Data Security: ISO27001, the information security standard

Printers that have succeeded in moving up the value chain - and those that aspire to - usually manage data nowadays. Therefore security management is increasingly topical. The consequences for organisations responsible for security breaches are serious; regulators' fines can impose severe financial penalties and then there's the reputational damage and loss of customer confidence.

Of course customers seek suppliers with proven credentials. The most common way to demonstrate security management capabilities is by registration to the information security management standard ISO27001. The standard requires that organisations identify what information they manage, and complete a risk assessment to identify what security controls they need to operate to reduce their security risks to an acceptable level. ISO27001 has many suggested controls.

If your business operates these controls don't get complacent! ISO27001 has over 120 other controls that may be necessary to reduce your security risks.

Businesses that achieve ISO27001 will have a systematic approach to security and will be able to demonstrated that they have identified what information they manage, risk assessed it, chosen controls to reduce risk and demonstrated that the controls are effective.
Additionally they will have:

• Trained their staff in security management, published and communicated a series of security polices. 
• Implemented controls for IT management, personnel security, physical security, access management and compliance management. 
• A programme of internal audits and improvement. 
• A proven business continuity capability. 
• Specific security measures and log and respond to security incidents.
• An established security governance under the leadership of their highest levels of management.
• The security management system will have been independently assessed by specialist security auditors.

This is not easy and it can't be done overnight - but that is why the award of the prestigious ISO27001 certificate has become a requirement for eligibility to bid for work where information security is important.