ISO Standards for Information Security

The world may have been relegated to a state of un-orderliness where any business can carry out any activity without fear of the negative effect the operation will have on others. 

This has caused situational, cultural, and operational business changes because of the lack of standardized protocol for doing business. This was part of the reason ISO was established. 

ISO is an abbreviation for International Standard Organization. According to Wikipedia, “the International Organization for Standardization (ISO) is an international standard-setting body composed of representatives from various national standards organizations founded to promote proprietary, industrial, and commercial standards. It is an independent, non-governmental organization, the members of which are the standards organizations of the 165 member countries.”

ISO has released different operational processes, guidelines, and procedures that organizations can work with for conformity, uniformity, and standardization purposes. Organizations that have implemented ISO standards showcase their certification to have conformed with international standards and best practices of processes and procedures. Once an organization or individual has conformed to a standard, an ISO Certification is issued by a third-party organization.

ISO Certification is a seal that affirms that an organization has implemented or is running a standard developed and published by ISO. Let’s look at some of the standards that have been developed and published by ISO for the information security and information technology industry.

ISO 27001:2013 Information Security Management System (ISMS), which is design for information security management implementation and auditing. It is a good certification for organizations that want to establish, implement, maintain & improve on the security of information within the infrastructure of the organization. This certification is not issued to an organization but individuals. So organizations do seek to employ individuals with ISO 27001:2013 certification to ensure that they can improve on the information security of their IT Infrastructure. Individuals with this certification should be able to implement information security system’s processes, manage a team that implements ISMS, prevent and assess threat within an organization, and audit organizations ISMS

Another Information Security Standard is ISO 27031 Cyber Security Management. This ISO standard is also issued to individuals as a seal to their ability to provide a guide for the management of information security, network security, internet security & critical information infrastructure protection. It is best for organizations that operate a Security Operation Center (SOC) or have a data center that manages the exchange of information. Individuals with this certification can be able to establish and maintain a cybersecurity program, protect an organization’s data & privacy, develop and manage cybersecurity policies, and improve the system security of organizations.

Moving Forward, the ISO 27035 Information Security Incident Management. This standard presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learned. Organization requires individual with ISO 27035 to be able to respond to cybersecurity incident encountered by the organization. Individuals with this certification will be able to effectively manage a cybersecurity incident, reduce the negative impact of cybersecurity incident on organization operations, implement best practices for information security management, and usually, they head any Cyber Security Incident Response Team (CSIRT).

Then we have ISO 27301 Business Continuity Management System. With a Business Continuity Management System, an organization is prepared to detect and prevent threats. It largely ensures that business operation is not affected in the case of a disaster. This certification prepares individuals to be able to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

While these are among the popular ISO standard related to both the information technology, and information security industry, ISO does not issue certification, instead, it approves third-party organization or bodies to issue ISO certification. Some of the approved bodies that issue ISO Certification are Professional Examination & Certification Board (PECB), and International Register of Certificated Auditors (IRCA). While these organizations issue ISO certification, they don’t usually conduct ISO training. Instead, they focus more on ISO certification exams. 

Before an organization or individual is ISO certified, such organization or person would need to undergo the specific ISO training and pass the ISO certification assessment. There are different organizations that offer ISO training both online and physically in Africa. However, due to the COVID -19 restriction, most ISO trainers including HICS Academy now offer Virtual ISO training option which enables students to join classes remotely. 

As information security continues to be a challenge the world is experiencing, there are needs for professionally certified information security consultants, and acquiring ISO Certification is the easiest and best way to go.