Unless you’re a relatively small organization or, as an organization, you do not use information or information technology, ISO 27001 is an appropriate standard for you to deploy to safeguard your IT infrastructure investments, protect your competitive position and ensure you comply with current and future national and international laws and regulations.
If you do, you need to have a structured approach to protecting it against multiple external and internal threats; such an approach requires a mix of technology and procedure, as well as informed and well-trained computer users. The standard contains best practice guidelines on how to achieve this.
If you do, you need a structured approach to storing and protecting that information in a way that ensures that your organization is in compliance with a myriad of often conflicting international laws and regulations. The standard contains best practice guidelines on how to achieve this.
If it does, you need a structured approach to ensuring that your systems continue operating without interruption and that your fall-back plans in case of disaster are thoroughly tested and dependable. The standard contains best practice guidelines on how to achieve this.
External certification of your information security management system can provide customers, partners and suppliers with the confidence to move forward in dealing with you, knowing that you maintain secure information systems.
Probably not.
If your answers to the first four questions are ‘Yes’ and to the last is ‘No’, then you need to deploy a structured information security management system, and as soon as possible. The question that remains is: ‘Is ISO 27001 the answer?’
The answer depends on the size and complexity of the organization, and the commercial drivers. In practical terms, if you employ fewer than 25 people, ISO 27001 is only likely to be appropriate if you there are specific commercial reasons for pursuing it: you operate in a high risk environment (eg financial services), there is a customer requirement (eg service desk outsourcing services) or some other mandate (eg government or funding requirements). Unless these reasons apply, you will probably be better off pursuing a less complex but relatively practical solution such as the Infosec Basics for Business[22] or even, if you are a very small or home-based business, applying the Internet Highway Code[23].