What is DIN ISO/IEC 27001:2015?

20th July 2017

Ensuring security: DIN ISO/IEC 27001:2015 is the leading international standard for information security management systems. It applies for companies and other organisations and defines the most important rules that ensure that data and IT processes are protected as well as possible. In a short interview, Uwe Spindler from TÜV NORD explains the sectors where the standard is particularly important and why the standard is absolutely essential nowadays.

#explore: What is DIN ISO/IEC 27001:2015?

Uwe Spindler: DIN standard ISO/IEC 27001 concerns standardisation of information management systems. The aim of the standard is to ensure and safeguard the confidentiality, integrity and availability of information. In principle the standard can be used for all types of organisations in all sectors, but of course there are areas of particular relevance such as banking, telecommunications and IT, where information security – which does not only mean IT security, but refers to all information needing protection – plays a major role.

And, alongside the ‘basic standard’, 27001, there is an entire 27000 family, containing further supporting and sector-specific standards and also technical reports which deal with additional requirements and recommendations. This area of standardisation is developing all the time – current themes include the Cloud, network security, telecommunications and many more.

Why is this standard so relevant at the present time?

Uwe Spindler: Information technology is becoming ever more important for all organisations, and the themes of digitisation, networking and globalisation are central. Against this backdrop, at the same time cybercrime is growing, which can put entire organisations out of action with targeted attacks – such as happened recently, for example, with the worldwide WannaCry attack. Preventive introduction of an information management system is an important protective measure in order to overcome potential security weak points within an organisation. In particular networked enterprises which have branches all over the world, for example, and which make use of very extensive data networks, are very open to attacks from the outside.

Certification according to ISO 27001 provides a competitive advantage for these organisations: it means that they can provide convincing evidence to customers and partners that they handle sensitive information in a way that is both committed and trustworthy.

#explore: What do you look for during certification?

Uwe Spindler: We assess if the companies have effectively implemented the comprehensive requirements as regards information security management systems. For in order to achieve certification, on the one hand they have to operate a management system on the basis of the so-called High Level Structure – comparable, for example, with ISO 9001 – and on the other hand they must implement all the relevant measures for protection of information. Annex A of ISO 27001 contains 114 such measures. Through introduction of a unified framework – the High Level Structure – various different management systems can be combined and operate together as an integrated management system.