Research Paper

profilereddygs17
ISO27001standard.docx

1

Runninghead:ISO 27001 Standard

1

ISO 27001 Standard

Research Paper ISO 27001 Standard

Naveen Kumar Reddy Tileti

University of the Cumberland’s

Date: 10/03/2020

Research Paper ISO 27001 Standard

Introduction

Several frameworks are used for managing risks within enterprises and organizations. An example of such frameworks is the ISO 27001 standard. Besides, there is a comparison of different frameworks depending on their level of effectiveness. Like any other framework, the ISO 27001 standard also exhibit both weaknesses and strength to all level of approaches. Furthermore, cybersecurity frameworks are the structures containing practices, processes, and technologies that an organization can use to secure computer and network systems from security threats. Therefore, such frameworks are responsible for enhancing organizational security.

ISO 27001 Standard

The ISO 27001 certification demonstrates that an organization has identified risks, put systemized controls, and assessed implications that limit any damage or threat (Watson & Jones, 2014). In that case, ISO 27001 can work well for the organization that I had previously worked for because it has increased information and systems' security and reliability (Higgins & Regan, 2016). Improved business partner and customer confidence are possible with ISO 27001 (Kenyon, 2019) standard (Watson & Jones, 2014). Again, any organization with sensitive data, whether non-profit or profit, government or private, small business, or corporate, can benefit from the implementation of 27001 standards (Carol et al., 2016).

Moreover, non-IT firms are interested in ISO 27001 because IT is not the only essential element for information protection. In many cases, firms already have technologies put in place (Kenyon, 2019). For example, antiviruses, firewalls, and backups. However, such technologies still have data breaches because the technology is not enough (Kenyon, 2019). I also learned from the organization where I worked before that most employees do not know how to use such technologies securely. The implemented technology might be limited when preventing an insider attack (Watson & Jones, 2014). Therefore, something else might be deployed.

ISO 27001 standard will work well in the organization because it provides the methodology for finding out which potential incidents might happen, including the defining procedures on employees' behavior that can be changed (Watson & Jones, 2014). The objective here is to save future incidents of business risks. Also, ISO 27001 provides a framework of standards on how modern organizations can manage their data and information. For instance, risk management is an essential part of ISO 27001 (Watson & Jones, 2014). The standards ensure that an organization, whether profit or non-profit, understands where their respective weaknesses and strengths lie (Higgins & Regan, 2016). ISO 27001 standards define the framework of procedures and policies that include all the physical, legal, and technical controls are involved in an organization's risk management processes (Kenyon, 2019). Therefore, by maintaining and establishing a documented management and controls system, threats can be easily be identified and reduced at the same time (Kenyon, 2019).

Additionally, ISO 27001 works on a risk-based, technology-neutral, and top-down approach (Carol et al., 2016). ISO 27001 draws coordination between the sections of an organization and enhances management responsibility (Kenyon, 2019). ISO 27001 will always ensure continual improvement while conducting internal audits and undertaking preventive and corrective actions (Kenyon, 2019). An effective ISO 27001 will always provide a management framework of procedures and policies that will keep an organization's information secure despite the format (Carol et al., 2016). Therefore, considering the series of high-profile cases, it is always very damaging to any organization if confidential information or data gets into the public domain or wrong hands (Watson & Jones, 2014).

Achieving ISO 27001 certification implies that the business has protected its information from getting into the wrong hands (Carol et al., 2016). The organization will be able to ensure that information is accurate, and modification is done by authorized users (Carol et al., 2016). Assessing the risks and mitigate the impact of a security breach are all possible with an effective ISO 27001 (Kenyon, 2019). According to the international standard, the latter has also been assessed independently based on any industry's best practices (Higgins & Regan, 2016). Additional benefits of a useful ISO 27001 include alignment with customer requirements, increased business resilience, and improved integration with corporate risk strategies (Watson & Jones, 2014). However, achieving ISO 27001 does not guarantee that information or data breaches will not occur (Higgins & Regan, 2016). Therefore, by exhibiting a healthy system, risks can be reduced while costs and disruptions are kept at a minimum (Carol et al., 2016).

ISO certifications are known across the globe as a way of demonstrating best practices. One of the ISO certifications is ISO 27001, and it is known for its information security (Carol et al., 2016). However, ISO 27001 for many small businesses can be more formal, complicated, and costly. Therefore, most businesses are forced to look for alternatives, especially when considering taking their information security seriously (Carol et al., 2016). Again, clients will always want to associate with organizations demonstrating a certain level of seriousness. One of the alternatives to ISO 27001 is the IASME (Higgins & Regan, 2016). The certification authority delivers a scheme for essential cyber accreditation on behalf of the government. It has an independent on-site audit of the subscribing organization's level of data security (Carol et al., 2016).

IASME offers a similar level of assurance to that of ISO 27001 standard (Kenyon, 2019). The difference is that it is simpler and affordable for small and medium-sized business organizations. IASME standard is built based on the primary technical focus, including essential cyber certification (Kenyon, 2019). The main concern is the addition of more procedural and policy elements for business organizations.

Another type of information security standard besides ISO 27001 is SOC the name of that framework matches the reports released during an audit (Carol et al., 2016). SOC is intended for use by service organizations issuing validated reports of internal controls apart from the users of such services' services. The advantage of using SOC is that they initiate privacy, availability, security, confidentiality, and integrity processing (Higgins & Regan, 2016).

Conclusion

Cybersecurity is the primary source for many organizations, and the need for implementing effective strategies grows daily. Cybercriminals are also deriving more sophisticated techniques for further attacks. For that reason, many organizations have been led to develop various frameworks that can assist them with achieving robust programs for cybersecurity. Business organizations are also expected to understand some of the top cybersecurity frameworks that can enhance their security postures. The selected framework must have defined structures containing practices, technologies, and processes that ensure computer and network systems' security.

References

Carol, Hsu, Tawei Wang, & Ang Lu. (, 2016). The Impact of ISO 27001 Certification on Firm Performance.

Higgins, M., & Regan, M. (2016). Cybersecurity. Minneapolis, Minnesota: Essential Library, an imprint of Abdo Publishing.

Kenyon, B., & IT Governance Publishing. (, 2019). ISO 27001 controls: A guide to implementing and auditing. Ely, Cambridgeshire, United Kingdom: IT Governance Publishing.

Watson, D. L., & Jones, A. (2014). Digital forensics processing and procedures: Meeting ISO 17020, ISO 17025, ISO 27001, and best practice requirements. San Diego, CA: Elsevier Science & Technology Books.