Smartly dressed people looking at a print out of code
Information Security

ISO 27001 – Why is it important?

Published: January 27, 2017
Smartly dressed people looking at a print out of code
Information Security

Why is ISO 27001 and Information Security so important, particularly in today’s security-conscious business environment?

We asked Ryan Ettridge, a Digital Trust and Risk Assurance specialist, with extensive experience in information technology, particularly in IT risk and cyber security to explain why. Ryan has managed and embedded transformation programs for clients across all industry sectors; and his strong focus on cultural change and an ability to successfully blend people, processes and technology provides businesses with the security imperatives they need to confidently manage modern information technology risks.

Read more about Ryan.


What is ISO 27001?

“ISO 27001:2013 is a well-respected international information security standard that outlines the key processes and approaches a business needs to manage information security risk in a practical way.”

Why do we need it?

“Information security is a business problem, not an IT problem. Risk-based approaches are vital for modern information security effectiveness.
There are many ways to achieve security risk management, so a good standard like ISO 27001 puts formalities in place to ensure the right thought processes were followed and captured when the inevitable breach is realised.”

What value does ISO 27001 certification add to a business?

“Certification is fundamentally about providing trust and confidence – and these can provide a competitive edge. In today’s world, our customers, business partners and shareholders want to be sure that you’re not putting them or their businesses at risk by not having appropriate safeguards in place around information and technology enabled business assets.

Boards want this confidence; management wants this confidence; and certification is a solid way of showing that you have invested and continue to invest to maintain appropriate levels of security based on acknowledged risks.”

Can I achieve the same processes without certification?

“Many organisations do follow the same process to achieve their security objectives without ever certifying, however certification is the formal proof that the standard has been integrated. Consistency and repeatability are key for traceability and justification of security investments. Understanding the standard in enough detail to appropriately apply it is necessary if you want to be truly effective.”

Why is ISO 27001 over other standards such as NIST and IS 18?

“This is a common question, and the reality is that the standard is flexible enough to be adopted for all industries and maturities. It can be integrated at many layers to ensure both security and compliance.”

Where do you see information security heading into the future?

“Anything that can be digitised is being digitised, so access to information and anything that is connected presents far greater risk to society than ever before.

As long as there is a dependence on technology to live, there will always be malicious, accidental and other ways to cause negative impacts. Security is a byproduct of risk management. Security in the context of this conversation is about shifting the cyber risks in your favour – InfoSec must become part of your everyday personal and professional lives just like locks on your doors. Live it, breathe it.”

What are the potential career pathways for a person with ISO 27001 knowledge and experience?

“We talk a lot about ‘lines of defence’ in risk management and assurance. Let me briefly explain…

Line 1 involves Management/Leadership/Operations – these people set the tone for risk and manage the day-to-day running of a business.

Line 2 involves the SMEs and advisors to the business involved in how to manage risk within the business’s frameworks and policies.

Line 3 is an independent audit.

In all three lines of defence, this skill is well respected such that we know how to operate within our risk appetite; we know how to tailor and integrate a practical framework/standard; and we know what to audit against. Whether I look to hire a security architecture, analyst, auditor or otherwise, knowledge and experience with this standard is always included.”

Find out more about our ISO 27001 courses

 


Related Articles

https://risktrainingprofessionals.com/what-is-iso-27001/

https://risktrainingprofessionals.com/iso-27001-not-just-it/

 

 

Back to Insights

“The virtual classroom coupled with an enthusiastic trainer made the course easy to run through and as good as any face to face courses I have ever attended.”

It was evident that the trainer had significant industry related experience in auditing. They were able to reinforce learnings and keep us interested by integrating their experiences into the course with relevant and engaging real world examples.

Course was enjoyable and I like the fact that we’re given a copy of the each of the Standards!

Honestly thought it was gonna be boring. I was very wrong! Very engaging and informative. Loved all 5 days and will be back for more courses!

Really enjoyed the training. What could be a very stale topic was delivered in a very engaging and detailed way. I particularly enjoyed the conversational delivery of the content and the practical activities were challenging and well presented. The catering was great too.

Need help finding a course?

Speak directly with a member of the RTP team to decide which course is right for you.

×
Menu