What is ISO 27001 certification?
Put simply, ISO 27001 is an internationally agreed-upon standard for organisations seeking to implement an IT security program - known as an Information Security Management System (ISMS). It allows an organisation to implement security processes and controls, in a way that adheres to international best practices.
Why get it?
Large companies are increasingly requiring their business partners to acquire and maintain ISO compliance, in order to minimise risk and demonstrate diligence in security matters.
Besides being a requirement for working with certain 3rd parties, ISO 27001 is a worthwhile security framework in its own right, given its flexible, risk-based approach. It is also gaining traction due to its close alignment with other, more localised security frameworks.
By promoting your conformance to information security standards, your organisation can demonstrate to its customers that it takes the security and privacy of their data seriously.
ISO 27001 defines a detailed process for developing the ISMS, beginning with scoping out the system's inclusions (e.g., information assets), identifying the risks that those assets face, determining how to respond to those threats, implementing controls to address threats, auditing those controls, and finally applying feedback into the system to ensure continual improvement.
Once an organisation is ready, they are then externally audited to ensure that they meet the requirements, and that there is evidence that the system is being actively maintained.