ISO Standards Relating to Information Security, Privacy, and Risk Management

Photo Credit: arena

The increased globalisation in the world has made it possible for organisations to bypass geographical restrictions that once limited cross-border partnerships. However, despite the advantages of more global collaborations, such as better transfer of knowledge and innovation, having reliable and unified ways of determining best practices is crucial for international quality assurance. Therefore, the International Organisation for Standardization (ISO) is regarded as one of the most significant entities in global trade and collaboration because of its globally recognised and accepted ISO standards

ISO Standards are a collection of global best practices for various aspects of operations and management. An organisation is said to be ISO compliant if it meets the requirements outlined in a specific ISO standard and this often helps the company’s reputation and trustworthiness in the mind of its existing and potential partners and customers.

Although the ISO standards were initially developed for specific industries like construction and manufacturing, it has been updated over the years to cover several aspects such that it addresses all the sustainable development goals. These ISO standards cover a wide range of different business processes like Quality management standards, Environmental management standards, and IT security standards. In the context of IT security standards, this article evaluates standards relating to information security, privacy and risk management.

How the ISO standards contribute to the SDGs (Photo Credit: ISO)

Information Security: The ISO/IEC 27000 family

The increased importance of data in modern business operations comes with the risk of data breaches which pose serious threats to an organisation’s information security. Therefore, protecting sensitive data is a major priority of businesses and the ISO/IEC 27000 family enables organisations to effectively manage the security of financial information, employee data and other information assets.

ISO/IEC 27001

The ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and it serves as a checklist for companies that seek effective security for their information. Key areas of the ISO 27001 include information security policies, access control, and incident management

ISO/IEC 27002

The ISO/IEC 27002 is closely related to ISO/IEC 27001 because it provides guidance on how ISO/IEC 27001 can be implemented. However, ISO/IEC 27002 also provides guidance for organisations on cybersecurity, emphasising best practices related to key cybersecurity aspects including access control, cryptography, and human resource security. 

ISO/IEC 27003

Similarly, the functionality of the ISO/IEC 27003 also emphasises the core position that ISO 27001 holds in the series because just like ISO 27002, the ISO 27003 provides guidance for implementing an ISMS based on ISO 27001. The IS0 27003 is very instructive in nature such that organisations that follow ISO 27003 will produce a final ISMS project implementation plan. This is because the ISO 27003 covers the process of ISMS specification and design like how to obtain management approval to implement an ISMS and also how to plan the project.  

ISO/IEC 27004

ISO 27004 is significant in the series because it provides guidance for monitoring, measuring, assessing, and evaluating information security. Measuring information security is important for continually improving existing methods or procedures in organisations. Organisations that therefore rely on guidance from the ISO 27004 standard are able to protect themselves from the increasing diversity of security attacks. The assessment guidelines in ISO 27004 also makes the standard important for determining the performance of ISO 27001 because it describes how to analyse and disclose the effects of a set of information security metrics. 

ISO/IEC 27005 

ISO/IEC 27005 provides guidelines for risk management and this makes it useful for organisations aiming to safeguard their information assets and achieve information security objectives. A risk management process based on ISO/IEC 27005 involves the establishment of an iterative risk assessment approach, implementation of risk treatment options, continual communication and consultation with interested parties. Considering the standard provides frameworks for risk management in information security, it supports the guidelines of ISO 31000 which is explained in a subsequent section in this article as a universal standard for risk management processes. 

ISO/IEC 27017 

The use of cloud storage is increasingly prevalent in the operations of organisations because most organisations rely on cloud storages to ensure the safety and security of their increasingly large datasets. Therefore, ISO/IEC 27017 is an information security standard that was developed to address information security protocols in a cloud computing environment. The ISO 27017 was therefore derived from the ISO/IEC 27002 to provide additional cloud security controls that were not fully specified in ISO/IEC 27002.

ISO/IEC 27018 

The ISO/IEC 27018 is similar to ISO 27017 because they both provide guidelines for information security in cloud environment. Specifically, the ISO 27018 is a code of practice for public cloud service providers as it is regarded as the international standard for protecting personal information and privacy in cloud storage. The term for the personal data it covers is Personally Identifiable Information or PII and the standard provides improved guidance for better implementation of the controls in ISO 27002 and ISO 27001. It achieves this by providing extra guidance on PII protection requirements for the public cloud

ISO/IEC 27032

The ISO 27032 (ISO/IEC 27032:2012) is often regarded as a complementary standard to ISO 27001 because it also focuses on how organisations can protect sensitive data from being compromised during exchanges by means of hacking or unauthorised modifications. The ISO 27032 standard considers cybercrime as one of the greatest risks faced by organisations and it provides resources for managing it within an organisation. The four aspects which ISO 27032 focuses on are internet security, information security, network security, and Critical Information Infrastructure protection (CIIP).

Privacy

ISO/IEC 27701

Data privacy is one of the most significant and controversial aspects of modern technology and global knowledge transfer. It is one of the most debated aspects in the digital world because it borders around not just security but also ethics. Organisations need data from customers and partners to fully function in the modern digital age, but organisations also have the responsibility of ensuring that these data are collected based on informed consent and they are not misused for personal gains after being collected.

Therefore, after many regional and national privacy laws or regulations like the EU’s General Data Protection Regulation (GDPR) and the Australia Privacy Principles, the ISO 27701 was developed as a data privacy extension of the ISO 27001 to represent a code of conduct or standard on privacy data compliance and certification.

When an organisation is ISO 27701 compliant, it represents a way of demonstrating to global consumers, partners, and other internal and external stakeholders, that the company has the necessary protocols and processes in place to keep data safe and to demonstrate compliance with major privacy regulations like GDPR. The ISO 27701 was developed to provide a standard for data privacy controls, which, when coupled with an ISMS, allows an organisation to demonstrate effective privacy data management. 

ISO/IEC 29100

ISO/IEC 29100:2011 also provides a privacy framework by providing clear specification for defining the actors and their roles in processing personally identifiable information (PII) for both natural persons and organisations. Therefore, where privacy controls are required for processing PII, ISO 29100 provides guidelines for their procurement, architecture, design, development, and operational information. 

ISO/IEC 29134

ISO/IEC 29134 is important for evaluating the impact of data processing activities on privacy and identifying necessary mitigations. This is because the standard was developed to provide guidance for conducting privacy impact assessments. Therefore, the standard helps organisations assess and address potential privacy risks in their operations, ensuring that privacy is considered at every stage of data processing

ISO/IEC 27018

As already discussed above, ISO 27018 is another ISO standard that provides guidance on privacy.

Risk Management (ISO 31000)

The ISO 31000 provides a universal standard for practitioners and companies employing risk management processes. The goal of risk management is to identify, assess and control threats to an organisation's capital, earnings, and operation. A successful risk management framework helps an organisation consider the full range of risks it faces while also examining the relationship between different risks and the effect they could have. Therefore, the ISO 31000 framework is significant because it provides organisations with guidelines and principles for risk management which can increase the odds of identifying risks and properly allocating resources to mitigate them.

Photo Credit: Techtarget

Meanwhile, the ISO/IEC 27005 also provides guidance on risk management as already discussed in this article.

Conclusion

In summary, ISO standards can be regarded as globally recognised and accepted frameworks that define industry best practices. As a professional or enthusiast of IT security, understanding and applying ISO standards can enhance international credibility and ensure efficiency in operations. Although there are about 25,176 ISO standards presently and that is subject to future increase, by evaluating those related to information security, Cyber security, Privacy and risk management, this article has provided significant insights on how these standards contribute to security in information technology.