ISO 27001 information security management is an example of best practice in information security for any business, whatever its size, and can lead to significant cost savings.
The international standard ISO 27001 covers the planning, implementation, monitoring and improvement of an information security management system. It is cast in general terms, applicable to any size of organisation, and is dependent on human expertise for its application in a specific case. Its sister standard, ISO 27002, is a code of practice for information security, often used together with it.
Since its publication, there has been a growing need for ISO 27001 security management on the part of companies, especially those that are subject to regulation in this area.
There is a wide range of ISO 27001 security strategies, and the details will vary from one organisation to the next. Not every firm will require all possible information security countermeasures. Small firms, especially, may require only a minimum of procedures and technology in order to be compliant with the standard. This makes it all the more important that a firm’s information security management should be carried out by someone with expertise and experience of both the ISO 27001 standard and the field of information security in general, since the standard itself (intentionally) gives very little guidance as to how to apply it to specific situations.
So the question then becomes one of either developing an in-house ISO 27001 function, or hiring specialist expertise from a security firm. Many factors determine which is the best solution for your business, such as:
- the size of your business, the skill-sets of existing employees,
- the complexity of your computers and networks,
- what regulations the business is subject to,
- and (of course) the available budget.
For larger organisations, it can be more cost-effective to develop their own in-house function for undertaking ISO 27001 security management, which can then become a resource for all other sections of the company. This applies even if the company is multinational, since the ISO 27001 standard is an international one.
In the case of smaller companies, however, it might be difficult to justify committing significant resource to a function which is not a core business process. It may be more cost-effective to outsource their ISO 27001 security management to a specialist information security firm, especially if information security requirements are fairly straightforward. This type of management solution will avoid the need to hire a full-time dedicated employee at a professional-level salary, and will also minimize the need to buy specialized software.
Whichever the type of solution, appropriate ISO 27001 security management can lead to cost savings.
It is clear that ISO 27001 security management is a major aspect of information security for any business, whatever its size, and deserves to be taken seriously – not least because it can lead to significant cost savings.