Understanding ISO Compliance
Though globalization has opened up new markets and avenues for businesses to grow and expand, it
has also increased security risks manifold. In this age,as companies and organizations depend largely on
technology to carry out their various business activities, their greatest risk would definitely be information
security risks. Hence, it necessitates the need for a code of practice or set of standards in place to
effectively manage the privacy, integrity and accessibility of information assets and thereby reduce
information security vulnerabilities. The International Organization for Standardization (ISO)and the
International Electrotechnical Commission (IEC) hope to achieve this with the promulgation of ISO/IEC
27000-series also known as the ISMS Family of Standards or simply ISO 27K series.
ISO is the world’s largest non-governmental, voluntary organization for developing and publishing
universal industrial and commercial standards while IEC is a non-governmental, non-profit organization
preparing and publishing international standards for all electronic, electric and related technologies.
These organizations have come together to help companies and organizations in having an overall
management and control framework to deal with information security risks.
Today it has become imperative that companies and organizations must achieve ISO compliance
particularly ISO 27001 and ISO 27002 if they want to minimize information security risks. Those
companies that do not comply with ISO 27001 and ISO 27002 compliance guidelines would have to face
severe consequences such as financial losses, harsh penalties, loss of brand reputation, lossand loss of
investor confidence and so on.Let’ look at the two standards in detailbrief.
An Information Security Management System (ISMS) standard published in 2005, it details the
requirements for the establishment, implementation, monitoring and review, maintenance and
improvement of a management system for managing an organization's information security risks.As per
this standard, the company management must
● Assess the information security risks, vulnerabilities, threats and impacts systematically
● Deploy sound and comprehensive information security controls to address the information
security risks effectively
● Ensure that the implemented information security controls continue to meet the security needs of
It is a code of practice for initiating, implementing and maintaining an information security management
system. In its introduction it states “Information can exist in many forms. It can be printed or written on
paper, stored electronically, transmitted by post of using electronic means, shown on films, or spoken in
conversation. Whatever form information takes, or means by which it is shared or stored, it should always
be appropriately protected.” The ISO 27002 consists of 12 sections with each section specifying the
information security controls and its objectives.
Though ISO/IEC 27001 and ISO/IEC 27002 are two different standards, they are always used
together.Though compliance to ISO 27001 and 27002 is a complicated process, companies and
enterprises can achieve it through ISO compliance management software easily, quickly and accurately.
Read on - IT Compliance, GLBA Compliance