James's Ramblings

An Overview of ISO 27000 Information Security

This article was originally published on The Scale Factory blog here.

ISO 27000 compliance; everyone’s top fun thing to talk about, right?

In this article, I’m going to explain some of the ISO 27000 family – to save you the boredom of researching this yourself – and clarify why we might need to care about this joyously dry topic.

Dry or not, you might be wondering how well the ISO 27000 approach fits your own organisation. To tell the truth, the ISO 27000 approach is a really good fit for any SaaS business, and I’m going to explain why.

Padlock on phone

When you’re organising information security, you want to know that the measures you’re taking are right for your commercial context. If it’s worth doing, you’re willing to find the funds to make it happen. And when it’s not, you don’t want to pay to tick boxes on a checklist that you don’t care about.

ISO 27000, along with other standards like ISO27002, sets out requirements for an ISMS. Those requirements talk a lot about the plans, processes, and documentation that underpin your technical implementation, rather than on any technical or physical specifics.

That’s actually a key message of ISO 27000. The other aspect of the standard and the approach it explains is to do continuous, systematic improvement. Setting up some controls and then leaving them untouched isn’t as effective as keeping them up to date as your business and the world around it evolve.

The ISO 27000 family of standards about how you set up that continuous improvement process for your organisation. What it’s not is a specific, prescriptive recipe for what that process looks like and what security safeguards you must have. That approach from ISO 27000 can work for organisations large and small.

What you get out of it is an information security management system (ISMS). Now, you might think that this is a website you log into to check on compliance and to detect important changes. Actually, no. An ISMS consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets (that’s what the standard says). It’s basically some documentation so that people in the company can see how you do information security.

(If you want to manage that documentation online, that’s absolutely fine, and it’s what we do ourselves at The Scale Factory.)

At some point, you’ll get to identifying some key risks for your business. If you’re providing software as a service, you might have servers that need securing, or maybe you opted for a fully serverless architecture. Controlling the most important risks could mean thinking about how you handle security updates. Maybe you identify that guidelines on secure coding and the OWASP top ten are going to be helpful.

You can make formal plans and document how you’re implementing information security. Without that, it’s easy to overlook important functions, leading to unchecked risk; it’s also impossible to prove to third parties that you have achieved a certain level of information security. For SaaS businesses, that could very well mean missed sales opportunities.

Organisations often use ISO 27000 on the road to achieving ISO 27001 certification – which requires an external auditor. Achieving ISO 27001 involves actually creating, implementing, and continually improving an ISMS - and documenting that you’ve done this.

There is also ISO 27002 – a supplementary standard that provides a reference set of controls to implement ISO 27001. Regardless of whether you would like to achieve ISO 27001 or not, the outputs of ISO 27000 can be invaluable to better an organisation’s security posture.

Want to learn more? Check out our other articles on ISO 27000, or read about how we can help you with your compliance challenges.