Although it is sometimes referred to as ISO 27001, the official abbreviation for the international standard on requirements for information security management is ISO/IEC 27001. That is because it has been jointly published by the ISO and the International Electrotechnical Commission (IEC). The number indicates that it was published under the responsibility of Subcommittee 27 (on Information Security, Cybersecurity and Privacy Protection) of ISO’s and IEC’s Joint Technical Committee on Information Technology (ISO/IEC JTC 1).
ISO/IEC 27001 is an internationally recognized information security standard, developed by the certification body International Organization for Standardization (ISO) and the IEC (the International Electrotechnical Commission). ISO 27001 has been through several iterations, including ISO 27001:2013; the latest version is ISO/IEC 27001:2022.
ISO 27001 provides guidelines and a framework, with requirements for “establishing, implementing, maintaining and continually improving” an information security management system (ISMS). ISO 27001 comprises 93 risk management controls, but not all are required to meet compliance with the ISO 27001 standard; instead, ISO 27001 compliance is about understanding your organization’s risk level and deciding which of the 93 controls are most appropriate to mitigate that risk to information assets.
ISO 27001 and data security
ISO 27001 requires the establishment of an ISO 27001 ISMS framework to encapsulate policies and procedures that protect an organization’s sensitive data, including intellectual property. This framework is based on the processes, people, technology, and procedures needed for information security controls, to secure systems and devices, and protect data from unauthorized access that can lead to data misuse, exposure, disruption, modification, or destruction. In addition, the ISMS policies and procedures help reduce the data risk from cyberattacks and insider threats through risk assessment. An ISMS also helps in meeting compliance with data protection and privacy regulations, such as the General Data Protection Regulation (GDPR), by helping enforce integrity, confidentiality, and data availability.
Achieve ISO 27001 compliance with Akamai
Akamai security solutions protect against vulnerabilities, malware threats (including ransomware), data breaches, and DDoS attacks. Akamai protects your customer experience, workforce, systems, and personal data and sensitive data by embedding security into everything, everywhere. The Akamai global platform ensures that an organization can detect and prevent existing and emerging threats and adapt to the changing security landscape. This is essential in maintaining ISO 27001 compliance and demonstrating continual improvement in security. The Zero Trust element of Akamai’s platform helps to create an ISO 27001 compliant environment providing deep visibility into assets, access controls, and network flows, with granular enforcement of security policy.
How does ISO 27001 affect your organization?
ISO 27001 comprises controls covering organizational, people, physical, and technological areas. All sectors are at risk of human-centered cyberthreats that exploit access to critical systems and services.
A fundamental approach within the ISO 27001 standard control objectives is that of Zero Trust security. Controls include:
- Access control, to establish physical and logical access controls to information and other associated assets
- Privileged access rights, to ensure “least privilege” access
- Segregation of networks, as part of a Zero Trust security approach
These controls help an organization establish a Zero Trust environment.
Here are three examples of sectors that benefit from implementing Zero Trust under ISO 27001:
ISO 27001 for critical infrastructures
Attacks on critical infrastructures have devastating effects. A recent example is a security incident at the U.S. oil supplier Colonial Pipeline . The entire Southwest of the United States was affected; all it took to circumvent operations security and infect the company with ransomware was a single compromised password. Critical infrastructures cover many vital services, including utilities, chemical manufacturers, and transport. The critical nature of these services makes them an attractive target for hackers. Unauthorized access and credential exposure that includes the wider supply chain is a central area of focus. The increased connectivity to the broader internet and an expanded attack surface of modern connected industrial units have allowed malicious actors to open once firmly closed doors into critical systems. Implementing ISO 27001 and associated information security policies and procedures mitigates the risk of cyberattacks on critical infrastructures.
ISO 27001 for healthcare
The wider healthcare sector is an ideal target for cybercriminals. The sector is data rich, a critical infrastructure, and highly dependent on technology and supplier relationships. As a result, healthcare institutions are at risk from many forms of cyberattack, including data breaches and ransomware. A recent report from the FBI’s Internet Crime Complaint Center (IC3) said that in 2022, the unit received more reports of ransomware attacks targeting healthcare than any other critical infrastructure sector. As a complex service, healthcare can benefit from the rigor required to implement an ISMS as part of ISO 27001 certification. A Zero Trust approach to information security risks will ensure that healthcare organizations can control access to sensitive data and maintain control over critical systems and services.
ISO 27001 for financial services
A 2023 International Monetary Fund (IMF) survey across 51 countries found that cyberthreats against financial instructions are “proliferating,” indicating a proper response by the sector is urgently needed. The financial industry suffers a variety of cyberattacks, including ransomware, data breaches, and DDoS attacks. The 2022 Verizon Data Breach Investigation Report broke the type of attacks against the financial sector into “Basic Web Application Attacks, System Intrusion, and Miscellaneous Error,” covering 79% of breaches. The report also highlights that stolen credentials are an integral part of most attacks in the sector. ISO/IEC 27001 provides mechanisms for the financial sector to enforce a Zero Trust approach to unauthorized access.
Business benefits of ISO 27001
Data security is a recognized competitive advantage. Achieving ISO 27001 certification helps organizations prove to customers, clients, and other stakeholders that your company takes information security seriously and has business continuity management in place. Being ISO 27001 compliant means that you have created a secure environment, based on an ISMS, that mitigates your data security risks and helps minimize risks for the companies you do business with.
Going through the process, to implement a set of controls to manage information security threats and improve incident management, means your organization has performed a data security gap analysis and is at lower risk of cyberattacks and accidental data exposure. This translates into fewer data breaches and a reduced likelihood of fines and other penalties for noncompliance with regulations.
The ISO 27001 controls and framework map to other data protection regulations, such as GDPR and NIST CSF (Cybersecurity Framework). Therefore, having ISO 27001 certification helps comply with these other data protection regulations.
Frequently Asked Questions (FAQ)
ISO 27001 centers on the organization-wide design and implementation of an ISMS; SOC 2 provides a comprehensive security framework to achieve this. SOC 2 compliance requires an organization to prove it has implemented a series of essential security controls to protect information. In other words, ISO 27001 takes an organization through a comprehensive development and implementation of an ISMS, but SOC 2 focuses on a narrower audit of security controls.
Further differences include that ISO 27001 is an internationally recognized certification standard. SOC 2 is a set of audits carried out by an independent certified public accountant (CPA).
ISO/IEC 27001 is a widely recognized international standard that sets out requirements for an ISMS. It is used by organizations of any size or type that require assurance that their information security risks are being managed. This includes organizations in the public and private sector, small and medium-sized businesses, large companies, nonprofit organizations, and government agencies.
Certification to ISO/IEC 27001 is one way to demonstrate that your organization is committed and able to manage information securely and safely. Holding a certificate issued by an accreditation body may bring an additional layer of confidence, as an accreditation body has provided independent confirmation of the certification body’s competence. If you wish to use a logo to demonstrate certification, contact the certification body that issued the certificate. As in other contexts, standards should always be referred to with their full reference, for example “certified to ISO/IEC 27001:2022” (not just “certified to ISO 27001”).
Why customers choose Akamai
Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.