Coming across the text “ISO Certified” is all too common when it comes to businesses, organizations and non-governmental associations, but not many of us would know what it is certifying. Although there exist different nomenclatures (such as ISO 9000, 14000) that correspond to quality in specific areas such as risk management, quality, customer satisfaction etc, ISO which stands for International Organization for Standardization is aimed at providing a family of standardization norms. It is important to understand which standard suits your company the best before going for an ISO certification.
In every organization, regardless of its location, size or business area, there are always some risks. These could be financial risks, such as fraud, legal risks such as non-compliance, tax penalties, etc., Technical risks such as failure of technologies employed by the business, alongside a host of general business risks. While some risks can hardly be controlled, most internal risks can be managed by using controls within the organization. In this context, it is important to understand two key terms ISMS and ISO 27001.
The ISMS, which stands Information Security Management System (ISMS) is a specified framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
The ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
At a time when the world is moving towards increasingly pervasive digitalization, security of data assumes greater importance. Data theft and privacy issues have recently been playing the greatest roles in corporate frauds worldwide. The ISO 27001 certification issued in 2013 is aimed at improving how a company manages its information systems and to make them more secure, trustworthy and reliable.
The certification involves responsibilities of management, audit committees for review, internal management and documentation systems and also necessitates designing of a corrective and preventive action plan. Through a checklist of good compliances, the ISO 27001 has a six-pointer plan that includes:
The ISO 27001 certification is considered to be ideal but is not mandatory. Some businesses use the certification results to improve their internal practices for risk management, while others gain from the confidence it imparts to the business processes in the eyes of several stakeholders like banks, customers, investors and the government.
While there is no statute in India making it compulsory, the Information Technology Act 2008 uses the word “reasonable security practice” for protecting sensitive personal information, and ISO 27001 promises that. Thus, companies that involve personal information recording – such as banking, finance, credit-rating, social media, marketing etc should ideally get the ISO 27001 certification.
Contrary to popular belief, it is not the International Organization for Standardization that does the quality check for certification and is only involved with formulating standards against which performance can be measured. The task of weighing actual controls against the ISO standards is performed by external certification bodies, thus a company or organization cannot be certified by ISO. In India, there exist accredited bodies that undertake the certification. There are legal agencies and lead auditors that possess the qualification and necessary accreditation that provides the ISO 27001 certification. An ideal agency to choose would be one that does a gap analysis to highlight deviations from the standards and assists with suggesting appropriate controls to meet the standards.
The ISO 27001 certificate is valid for a period of three years. However, in the interim, the certifying agency would pay regular visits and advise on improvement in systems. It may also suspend the certification before its expiry if any deviation is found.
Know the benefits of ISO Certification in India.
At Vakilsearch, we recommend companies to get ISO 9001 Certification in India. Our team of experts provides support in every phase of the certification process:
We are ready to go that extra mile to help businesses achieve their goal.