Protegiendo la información

June 21, 2023

ISO 27001: Protecting sensitive information in the digital age

  • ISO 27001 sets out the requirements for information security management in organisations, providing a structured and systematic framework for the management of information security
  • ISO 27001 implements and enhances an information security management system, including the protection of data against internal and external threats.
  • While ISO 27001 is an international standard for information security management, the ENS is a Spanish standard focused mainly on the public sector.
  • ISO 27001 certification demonstrates an organisation's commitment to data protection, conveying trust and credibility to stakeholders, and addresses aspects such as secure communication, cryptography and regulatory compliance, such as GDPR.

The importance of digital information protection

Any organisation requiring a systematic and structured approach to information security management can rely on the international standard ISO 27001. This standard sets out the requirements for establishing, implementing, maintaining and improving an information security management system (ISMS) in an organisation.

Developed by the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC), it is a standard that provides a reliable framework for the protection of data against internal and external threats. The standard also encourages the development of a safety culture within each company, aligned with compliance with all types of legal, regulatory and contractual requirements.

A company that safeguards and protects information is also a company that sends signals of trust from its customers. By obtaining ISO 27001 certification, any entity makes explicit its commitment to data protection and confidentiality, an attribute that conveys reliability and credibility to the different stakeholders of the organisation.

Implementation of the ISO 27001 standard

It should be noted that the implementation of ISO 27001 incorporates regulatory references that ensure that the accumulated experience and knowledge in the field of information security are taken into account. References to the standard thus provide a solid basis for the implementation of security controls and risk management.

The system also includes managing information assets within an organisation, including those stored in systems, networks, printed documents, physical records, and so on. Appropriate protection measures must be established for each asset identified, considering its value, criticality and associated risks. Following this analysis, management is articulated through lines of action that include systematic evaluation in order to mitigate any negative impacts.

Cybersecurity is also a part of this regulatory framework, as much of the current threats to a company come from elements such as hackers, malware and phishing attempts. The ISO 27001 protocols and requirements are aligned with the criteria of the National Cybersecurity Institute (INCIBE).

In this regard, it should be noted that the standard directly addresses communications in relation to information security, ensuring the protection of confidentiality, integrity and availability of information during its transmission, and establishing specific requirements to ensure secure communication.

ISO 27001 in the Cloud: Protection in the cloud environment

The effects of ISO 27001also extend to information hosted in the cloud, which involves assessing associated risks in this environment, setting criteria for selecting reliable suppliers, implementing adequate security controls and ensuring business continuity and data recovery.

It should be noted that the standard points to cryptography as one of the most effective control measures to protect the confidentiality, integrity and availability of information. Cryptography can encode and decrypt information, ensuring that only authorised parties can access it.

Similarly, the specific requirements of the ISO 27001 standard include access control, the purpose of which is to ensure that only authorised persons access information assets and systems. This control minimises the risk of security and confidentiality breaches.

The combination of the aspects above makes ISO 27001 a complete system, aligned with the General Data Protection Regulation (GDPR) of the European Union, which sets out the requirements for safeguarding personal information in member countries. Its effectiveness, enhanced by its application in the use of modern encryption algorithms and techniques, makes the regulation a solid basis with an ever decreasing margin of error.

It is important to note that ISO 27001 provides a general framework, but each organisation needs to tailor its data protection controls and measures according to its own specific needs and requirements. Furthermore, this standard does not automatically guarantee compliance with all data protection laws and regulations, such as GDPR compliance, but it can be a useful tool to establish a solid basis for data protection within an organisation.

As the chief information security officer (CISO) within an organisation, the role of the CISO is to establish and oversee the organisation's information security strategy and programmes, and is generally responsible for leading the implementation and compliance with ISO 27001 within the organisation.

Finally, it should be noted that in Spain there is another standard that establishes the requirements and procedures in the field of information security, the National Security Scheme (or ENS in Spanish). This standard, which is only national in scope, is mandatory for public administrations and private sector companies providing digital services to public entities. While both standards are effective in establishing an Information Security Management model, ISO 27001 takes a more generalist approach in establishing a company's security requirements, providing more flexibility between security measures and the company's operations. The ENS, meanwhile, establishes the necessary security controls at a more granular level, based on a categorisation of the company's information systems according to their criticality and impact. The certification process for both standards involves an external audit, renewable every 2 years in the case of ENS and every 3 years in the case of ISO27001, with annual monitoring.