The ISO/IEC 27000 family of standards was developed to help organizations with keeping their information assets secure. Of all the ISO 27000 standards, ISO 27001 is the best-known. It is a specification for an information security management system (ISMS), which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
As ISO points out, ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It uses a top-down, risk-based approach and is technology-neutral.
ISO 27001 is popular since organizations realize how important it is to implement an ISMS that protects their business. This is not surprising considering the rise in data breaches, cyberattacks, nation-state hacking incidents and ransomware outbreaks. To protect themselves, global companies, enterprises and governments investing heavily in cybersecurity. According to Gartner, worldwide information security spending will reach $86.4B this year. However, they often don’t know how effective their data and system security really is.
The 2017 State of Cybersecurity Metrics Annual Report outlines the IT security effectiveness of 400 global companies. Using internationally accepted standards for security embodied in ISO 27001 (as well as best practices from industry experts and professional associations), the report shows:
- 58% of companies fail to measure the effectiveness of their cybersecurity investments and performance against best practices.
- 1 in 3 companies invest in cybersecurity technologies without measuring their value or effectiveness at all.
- 4 out 5 companies don’t know where their sensitive data is located, and how to secure it.
- After a data breach, 64% of the surveyed organizations fail to recover in a timely manner or in a way in line with their disaster recovery plan.
- 8 out 10 companies fail to ensure that their IT security policies are understood by employees, which puts those organizations at risk for data leakage and internal data breaches.
Implementing the ISO 27001 helps organizations to solve the issues outlined above. They can opt to only comply with the standard, or to also be ISO 27001 certified. An organization complies with the ISO 27001 standard when it meets the requirements. To check the compliance, internal audits are carried out. Cymulate’s assessment platform is a powerful tool to assist organizations to test their current security posture.
Once the organization is compliant, it can ask to become certified. This involves an external audit by an independent certification body. Such an audit normally involves a high level review of the management system, followed by an in-depth look at the management system to check the compliance in various areas. Once certified, the organization must undergo annual surveillance audits to check whether its ISMS is maintained. Cymulate’s breach and attack simulation platform shortens the testing cycle and speeds up time to remediation which helps organizations when they are preparing to become certified.
The ISO 27001 Global Report 2016 illustrates how popular compliance with the ISO 27001 standard has become. Out of the respondents, 98% stated that the most important benefit of ISO 27001 was improved information security, 11% said that compliance with the standard improved their company’s reputation, and 8% stated it improved competitiveness. Their main driver for implementing ISO 27001 was to improve their organization’s information security posture (69%), with 55% of respondents reporting that the single most important benefit of ISO 27001 for them was the improved information security.
When it comes to risk assessment, 76% of respondents follow an asset-based risk assessment methodology, with 40% indicating that they move to a combination of scenario/event-based and asset-based methods. The Cymulate assessment platform is a powerful tool for helping with the risk assessment.
To help organizations with their ISO 27001 compliance, Cymulate has made the assessment procedure fast and easy to perform. The on-demand platform allows for testing the security posture of the organization at anytime and anywhere.
Want to find out how the Cymulate platform can help you? Sign up for our FREE assessment without any obligation. See for yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues so you can remain ISO 27001 compliant.