Publicly announced breaches of secured information are so common today that they almost seem routine. Last year, in the United States alone, financial companies like JPMorgan Chase and retailers such as Target and Home Depot were victimized by information system hackers that allegedly gained access to the confidential data of millions of businesses and consumers.

Data breaches compromise consumer data and, in some cases, organizational data as well, increasing the risk of both business and personal financial fraud. However, data breaches also come with a significant cost for those organizations that have been targeted. According to its “2014 Cost of Data Breach Study: Global Analysis,” the Ponemon Institute estimates the average total cost of addressing a single data breach incident at $3.5 million, or about $145 for each lost or stolen record.

Unfortunately, the effect to an organization that suffers a data breach goes beyond the financial cost. Customers can easily lose confidence in a business that fails to protect credit card information and other personal data, and may choose to do business with a competitor. In addition, an organization whose reputation has been tarnished by such an incident is likely to have more struggles attracting new customers.

About ISO/IEC 27001

ISO/IEC 27001—“Information security management” is an internationally recognized standard that details the requirements for implementing and maintaining an information security management system (ISMS). Specifically, the standard specifies the requirements for forming, applying, operating, monitoring, reviewing, maintaining, and improving a documented ISMS that addresses the root causes of information security risks. Organizations that maintain an ISO/IEC 27001-certified ISMS can help protect themselves from malicious and criminal cyber attacks and prevent unintended access to private or sensitive information.

Originally based on BS 7799-2, a standard issued by the British Standards Institute in 2002, ISO/IEC 27001 was first published in 2005. The original version of the standard applied the plan-do-check-act (PDCA) model then commonly used in management systems standards. A revised version of the standard, ISO/IEC 27001:2013, adopted the framework detailed in Annex SL of the Consolidated ISO Supplement of the ISO/IEC Directives, which mandates the use of a common structure and terminology in all new and revised management systems standards.

Unlike the prior edition of the standard, ISO/IEC 27001:2013 places a greater emphasis on measuring and evaluating the effectiveness of an organization’s ISMS. ISO/IEC 27001 also includes a section on managing outsourced IT services because many organizations do not directly manage their IT infrastructure.

Organizations that are currently certified to ISO/IEC 27001:2005 must be recertified to the requirements of ISO/IEC 27001:2013 by no later than Oct. 1, 2015. The required transition timeline applies even to those organizations whose current ISO/IEC 27001 certification extended beyond the Oct. 1 deadline.

The implementation and certification process

The process of implementing an ISMS in accordance with the requirements of ISO/IEC 27001 and achieving certification typically involves the following steps:

• Obtain management commitment. A commitment from an organization’s senior management is a prerequisite for any successful management system implementation, including the implementation of an ISMS.
• Define the organization’s information security policy. Acting as the framework, the organization identifies and defines the specific goals and objectives it hopes to achieve with its security policy by establishing a sense of direction and principles for action with regard to information security.
• Define the scope of the ISMS. Next, the organization identifies the specific aspects of its information systems security to be addressed within the scope and boundaries of the ISMS.
• Complete a risk assessment of the current ISMS. The organization then conducts a risk assessment based on the most appropriate risk-assessment methodology to determine the specific information security risks that the ISMS is likely to encounter.
• Analyze and evaluate the risks. The organization then determines methods to control the potential risks that have been identified by applying treatment as a necessary next step to control or mitigate those risks.
• Identify and implement risk controls. Next, the organization implements the required controls, monitors results, and makes changes and modifications as required.
• Conduct an ISMS pre-audit. With the ISMS now in place, the organization should conduct a pre-certification assessment audit to identify any potential certification issues (e.g., gaps and/or the degree of compliance with the policies, directives, and standard adopted by the organization).
• Conduct an ISMS certification audit. Finally, an independent certification body assesses the organization’s compliance with the requirements of ISO/IEC 27001, and issues certification as appropriate.

The benefits of ISO/IEC 27001 certification

ISO/IEC 27001 provides a proactive, structured, and systematic approach to security that can protect information systems from malicious or unplanned attacks, thereby helping to protect the confidentiality of private and confidential information. Organizations that have achieved ISO/IEC 27001 certification clearly demonstrate their commitment to the security of customer information, and can inspire confidence from customers and supply chains alike while providing an important advantage in a competitive marketplace.

Bio:

Vincent Palermo is a senior manager with TUV SUD.  TÜV SÜD America, in cooperation with Quality Digest, will host a free webinar, “ISO/IEC 27001: Introduction and the Road to Certification,” live on Nov. 18, 2014, at 2 p.m. Eastern. Intended for information security and technology professionals and consultants, the webinar will discuss the importance of ISO/IEC 27001 certification and describe the steps needed to obtain certification. For more information about this webinar and to register, click here.