The International Organization for Standardization (ISO) 27000 series is basically a set of best practices for an organization to use to align security process with corporate goals. The added benefit of this standard is that you can officially get 'ISO certified', which carries some weight in certain circles. Benefits outside of the trophy case include implementing tried-and-true security practices, security awareness and participation, alignment of security initiatives with business goals, and refinement/formation of security policies.

​

ISO 27000 certification is a little different than other compliance assessments because you're looking at how your organization manages security, rather than how much your systems comply with a standard set of requirements. What's more, you determine the business goals you want to be judged against. In short, you specify the controls you want to adhere to. How's that done?

​

First and foremost, the business goal(s) need to be determined. From there, you rifle through the ISO 27001 standard and specify your controls/requirements. Once you've established what you want to accomplish, it's a typical gap analysis, mitigate, and repeat process until you're satisfied. 

​

As indicated above, there is a certification body that will certify your Information Security Management System (ISMS) to ISO 27001. They are typically last-mile in that they assess only, but there are companies that will help lead you through the process, help implement controls, and assist where needed throughout your ISO certification process. I've heard of organizations going through ISO 27001 without outside help - how I've heard: through a three-hour 'lessons learned' presentation. Skip the pain and hire an expert, please.

​