First introduced in 2005, the ISO family of standards for managing information security has received more attention lately in the wake of increasing data breaches and security lapses. However, they’re still not as popular as HITRUST or SOC 2 audits, so in this post, we’ll specifically discuss ISO 27001, who it affects and what compliance means for your organization.
ISO 27001 is a compliance regulation such as PCI or HIPAA. There are about a dozen standards within the ISO family, but 27001 is the most common ISMS standard and the most pertinent for providing requirements regarding an Information Security Management System (ISMS). The ISO standards were first introduced in 2005, but were revised in 2013.
Essentially, an ISMS is how you decide to approach protecting your sensitive data. That data may include financial records, medical information, internal employee data or other information entrusted to you by a third party. Your ISMS is not just the data itself but also the people, processes and technology around it, and includes a risk management process. The goal of the ISMS is to help organizations keep their information secure.
ISO 27001 isn’t mandated by the federal government like HIPAA or enforced by a regulated industry like PCI, but if you handle personal identifiable information (PII) or use a hosting provider that does, it’s really something you (or they) should have. An ISO certification shows you, your customers, and your board of directors that you or the hosting provider you work with takes data security very seriously.
Here are the controls you’ll be measured against:
As you can see, ISO 27001 covers information security pretty in depth. But keep in mind, the firm you choose that will audit you against these standards is offering an opinion as to whether you meet them, so be sure to pick reputable auditors who thoroughly understand the controls.
Since ISO is a management standard, that means everyone on the management team is involved, not just the IT department. That includes the CEO, CFO, and anyone else on your team. Having the entire management team part of the process makes it much easier to apply security controls and a culture of compliance across the board because every department is actively involved in achieving compliance.
Looking for a cloud provider with ISO 27001 compliance? We have you covered. We recently achieved certification for ISO 27001 compliance with no exceptions to our audit. Visit /compliance-security/iso-27001-compliant-hosting to learn more.