ISO 27001 Standard
The international standard ISO 27001, also known as DIN ISO/IEC 27001 in Germany, is the prerequisite for a certified information security management system, ISMS for short. For companies, certification means more security, risk minimisation, an edge in trust with customers and thus a possible competitive advantage. At the same time, such proven information security also ties up resources and requires a commitment from top management – especially in larger companies that are not at home in the security industry. In this wiki article, we explain who benefits from such an ISO certificate, which prerequisites must be created and how important a functioning ISMS is for the subscription economy.
What is ISO 27001?
Basically, there are two different certifications. One is the ISO 27001 certification and since 2006 also the so-called “ISO 27001 certification based on IT Baseline Protection”. The latter has a higher informative value due to its scope, but is also considerably more complex to implement. In both cases, the aim is to permanently plan, implement, monitor and optimise a company’s information security.
The crucial factor for successful certification is first of all the necessary responsibility in top management. This is mainly due to the fact that information security must be guaranteed across all departments. In short: data and security are a matter for the boss. Thus, there are three basic values in information security:
- Confidentiality: Information must not fall into the wrong hands
- Integrity: Sensitive information must not be falsified
- Availability: Necessary information must be retrievable.
These overarching basic or corporate values must first be understood and exemplified by the top management before an information security officer deals intensively with the matter. At the end of this process, there is a possible certification according to ISO 27001.
The advantages of ISO 27001 certification
Certification according to ISO 27001 has many advantages for a company. The misuse of data and data leaks, for example through hacker attacks, cost German industry several billion euros every year. A cost risk that is reduced by consistent information security management.
A successfully proven information security is thus considered the basis for a solid corporate culture. A culture of understanding and trust can thus be established internally within the company, but also in relation to the exchange with customers and business partners. This in turn can lead to a competitive advantage.
Another advantage is that an ISO-certified process also covers the topic of data protection. Because data protection and information security are part of every IT canon.
ISO/IEC 27001:2013 is a security standard that establishes security best management practices and comprehensive security controls in accordance with the best practice guidance set out in ISO/IEC 27002.
What does ISO/IEC 27001 certification mean for the subscription business?
Secure systems are of major importance for subscription business models. After all, protecting customer data through strict security standards is a top priority not only, but especially for subscription companies. Especially in automated processes, the operational requirements for a subscription business model are immense. After all, two characteristics, confidentiality and transparency, have to be combined here, both in the interest of the customer and for the company.
It is important to understand that ISO certification is not a condition or legal requirement for a subscription model.
How can I certify my company and what do I have to consider?
In fact, the ISO certificate is initially a voluntary service that a company can take advantage of. Theoretically, but certainly not recommended, the company can also proclaim conformity and the importance of information security on its own and make it credible to the customer. Alternatively, service providers or customers can also confirm or evaluate the trustworthiness and information security. The most convincing variant, however, is verification by an independent external auditor, such as from TÜV or directly from the Federal Office for Information Security (BSI).
Once a company has decided on ISO IEC 27001 certification, the time factor for implementation must be considered. And how long does ISO 27001 certification take? It takes about 30 to 50 days until all processes and concepts have been set in motion in such a way that it is sufficient for certification. It is also helpful to plan a full-time position that focuses only on the requirements of this topic. However, this time and personnel effort can pay off quickly, especially for those companies that want to avoid the risks of data leaks and security breaches. And for everyone else, certification is certainly a worthwhile investment in the future.
Conclusion on ISO 27001
The larger a company or organisation and the greater the complexity of its business model, the higher the monetary and personnel costs of the measures required to get an ISMS certified according to DIN ISO/IEC 27001 up and running. But these efforts to comply with the standard can quickly pay off. Either directly, through the avoidance of failure and risk costs, or indirectly, as the company can recommend itself as a particularly secure and audited company.
