ISO/IEC 27001 information security explained for small businesses

ISO News feeds (RSS)

ISO and the International Electrotechnical Commission (IEC) have just launched a new handbook providing practical advice for small and medium-sized enterprises (SMEs) on how to achieve the benefits of implementing an information security management system (ISMS) based on the International Standard ISO/IEC 27001.

Published in 2005, ISO/IEC 27001 is one of the fastest growing management system standards, being implemented by thousands of organizations in more than 100 countries.

ISO/IEC 27001 for Small Businesses – Practical advice takes the mystery out of information security and presents a practical, clearly explained step-by-step approach for SMEs to implementing an ISMS based on ISO/IEC 27001.

ISO Secretary-General Rob Steele and IEC General Secretary Ronnie Amit comment in the foreword to the handbook: "An information security management system based on ISO/IEC 27001:2005 can empower the small business to compete successfully on today's globalizing markets. This handbook is intended to provide the key to the door."

The advice given is based on the premise that information is an asset, which, like other important business assets, adds value to an organization and consequently needs to be protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and information technology systems.

Information may concern an organization's products, processes or markets. It may be sensitive information entrusted by the organization's customers, suppliers or stakeholders. It may be stored in paper form, but is increasingly digital.

If information is power, then failure to protect that information can render the organization powerless by ruining its organization's reputation, resulting in escalating financial losses and wreaking havoc with business operations.

ISO/IEC 27001:2005 specifies the processes for enabling an organization  to establish, implement, review and monitor, manage and maintain an effective ISMS. Its implementation will reassure customers and suppliers that information security is taken seriously within the organizations they deal with because the latter have in place state-of-the-art processes to deal with information security threats and issues.

ISO/IEC 27001 for SME

This handbook takes the mystery out of information security and presents a practical, clearly explained step-by-step approach for SMEs to implementing an information security management systems (ISMS) based on ISO/IEC 27001.

ISO, the IEC and small businesses
International Standards developed by ISO and the IEC have been major contributors to developments such as electrical power grids, information and communication technology (ICT) networks and global supply chains, which have opened more opportunites for SMEs. ICT standardization in particular allows small businesses to reach far beyond their physical location in search of new markets. For example, with the spectacular growth of the Internet, any company, regardless of size, can now easily have a shop window to the world.