ISO 27000 compliance; everyone’s top fun thing to talk about, right?
In this article, I’m going to explain some of the ISO 27000 family – to save you the boredom of researching this yourself – and clarify why we might need to care about this joyously dry topic.
Dry or not, you might be wondering how well the ISO 27000 approach fits your own organisation. To tell the truth, the ISO 27000 approach is a really good fit for any SaaS business, and I’m going to explain why.
When you’re organising information security, you want to know that the measures you’re taking are right for your commercial context. If it’s worth doing, you’re willing to find the funds to make it happen. And when it’s not, you don’t want to pay to tick boxes on a checklist that you don’t care about.
That’s actually a key message of ISO 27000. The other aspect of the standard and the approach it explains is to do continuous, systematic improvement. That’s because setting up some controls and then leaving them untouched isn’t as effective as keeping them up to date when your business and the world around it evolve.
ISO 27000, along with other standards like ISO27002, sets out requirements for an ISMS. Those requirements talk a lot about the plans, processes, and documentation that underpin your technical implementation, rather than on any technical or physical specifics.
The ISO 27000 family of standards about how you set up that continuous improvement process for your organisation. What it’s not is a specific, prescriptive recipe for what that process looks like and what security safeguards you must have. The flexible, evidence-based approach from ISO 27000 can work for organisations large and small.
What you get out of it is an information security management system (ISMS). Now, you might think that this is a website you log into to check on compliance and to detect important changes. Actually, no. An ISMS consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets (that’s what the standard says). It’s basically some documentation so that people in the company can see how you do information security.
(If you want to manage that documentation online, that’s absolutely fine, and it’s what we do ourselves at The Scale Factory.)
At some point, you’ll get to identifying some key risks for your business. If you’re providing software as a service, you might have servers that need securing, or maybe you opted for a fully serverless architecture. Controlling the most important risks could mean thinking about how you handle security updates. Maybe you identify that guidelines on secure coding and the OWASP top ten are going to be helpful.
You can make formal plans and document how you’re implementing information security. Without that, it’s easy to overlook important functions, leading to unchecked risk; it’s also impossible to prove to third parties that you have achieved a certain level of information security. For SaaS businesses, that could very well mean missed sales opportunities.
Organisations often use ISO 27000 on the road to achieving ISO 27001 certification – which requires an external auditor. Achieving ISO 27001 involves actually creating, implementing, and continually improving an ISMS - and documenting that you’ve done this.
There is also ISO 27002 – a supplementary standard that provides a reference set of controls to implement ISO 27001. Regardless of whether you would like to achieve ISO 27001 or not, the outputs of ISO 27000 can be invaluable to better an organisation’s security posture.
Are you ready for ISO 27001? Do you have an effective information security management system that delivers the right technical controls in your AWS environment?
Our whitepaper looks at the tasks involved and makes some recommendations. Or for a quick expert check and report of your infrastructure against the reference controls of ISO 27002, see our AWS Readiness Assessment.
This blog is written exclusively by The Scale Factory team. We do not accept external contributions.