Today, no one questions the strength of the ISO 27001 standard for Information Security management. Since its publication in 2005, the year ISO adopted the British standard BS-7799-2 with the name ISO / IEC 27001: 2005, the standard has been making an increasingly important place in the busy world of certification.
And it has done it in the hands of its guide to good practices ISO 27002, which without being certifiable, is a compendium of recommendations for those who face the enormous - and demanding - task of implementing an Information Security Management System (ISMS).
However, ISO 27001 is still a long way from achieving the degree of worldwide implementation of other management standards, such as the widely known standard that establishes the requirements of a Quality Management system: ISO 9001.
Such is the superiority of the quality standard that it is not currently questioned whether it is a mandatory or voluntary compliance standard. Simply, if you are not certified under 9001, you are out of the market. So resounding.
Seeing the evolution that ISO 9001 has had around the world since it was published in 1987, and taking into account that the society in which we live and the companies that operate in the market already depend absolutely on information, it seems logical To think that ISO 27001 will gradually gain weight both in public organizations and in private companies.
In this scenario, it may still be risky to think that ISO 27001 will become a mandatory standard in the strict sense in the future, or “mandatory” compliance in the way that de facto is ISO 9001. But it is also true that We begin to see certain signs that we may not be talking about the distant future.
For example, in Peru the ISO / IEC 27002: 2005 - remember, the guide of good practices and not the certifiable standard - has been mandatory in all public institutions since 2004, thus setting a standard for the operations of the Administration, whose compliance is supervised by the National Office of Electronic Government and Informatics - ONGEI.
Without leaving South America, in Colombia the ISO 27001 standard is mandatory for some sectors. This is the case of information operators, who in accordance with Decree 1931 of 2006 of that country, are subject to compliance with the standard.
But, without a doubt, it will be the private sector that will push ISO 27001 in the right place with the greatest drive, due to the important role that an ISMS can play in the corporate governance of companies in terms of risk management. refers.
We can find a clear example, of course, in the cradle of Information Security management, the United Kingdom. In 2004, the Financial Reporting Council (FRC), the British regulator to which publicly listed companies in that country must report their financial data, formed a group of advisers chaired by Douglas Flint of HSBC Holdings Plc.
The mission entrusted to this group was to review the Turnbull guide, good internal control practices for British listed companies, first published in 1999. With observations made by the group, the FRC released the guide update in October 2005. This update reinforces the importance of internal control and risk management in the corporate governance of companies.
Internal control and risk management, undoubtedly two concepts that are very familiar to those of us who work daily with ISO 27001. Indeed, the standard in Information Security management is not limited to managing the information systems of organizations, it goes much further. It involves an entire examination of the process or processes that we intend to certify, obtaining an exhaustive knowledge of it.
This comprehensiveness comes from the identification and valuation of the organization's assets, and from the corresponding risk analysis, which will shed light on the controls we must apply to mitigate the risks detected.
From other positions, the fit of ISO 27001 is being considered in the field of Corporate Social Responsibility (CSR), as well as within another concept of Governance, Risk Management & Compliance (GRC) that Scott L Mitchell, of the American think tank, commented to us. Open Compliance & Ethics Group (OCEG). This concept means overcoming corporate social responsibility, integrating good governance, regulatory compliance, risk management and Information Security.
Certainly, if this evolution that OCEG advances, Information Security would become as intrinsic to companies as financial control or quality management is today. That is the leap that Information Security still has to make to gain a foothold in the company and stay forever.
Of course, a very solid point of support for this evolution is provided by the 2008 Annual Report of the IT Policy Compliance Group, with the title Improving Business Results and Mitigating Financial Risk. According to the data collected by the report, the organizations with the highest degree of development in IT GRC -or GRC of Information Technology- exceed the average income by 17%, which translates into 13.8% more benefits.
Figures that, without a doubt, are a stimulus for ISO 27001 to continue advancing positions in its particular career to match the ISO 9001 quality standard in terms of degree of implementation and de facto mandatory. That is, by becoming a standard whose certification companies will obtain not only to improve the security of their information, but also to increase their results and, of course, to be in the market. A market that by then will have matured enough to marginalize those organizations that do not take the security of their information assets very seriously.
Contributed by: Elena Ortega de Nicolás
