Ion Iordache

My Life in Motion

  • About Me
      • About Me
      • Testimonials
      • Work With Me
  • Services
      • Consulting
      • Course: Internal Auditing based on ISO 19011:2018
  • Downloads
      • SECURITATEA ȘI SIGURANȚA UNITĂȚILOR SANITARE
      • Securitatea și Siguranta Unitatilor de Invatamant
      • MARKETING PENTRU MICROÎNTREPRINDERI ȘI IMM-URI
      • Inteligenta Artificiala in Securitatea Fizica Editia a 2-a
      • Inteligența artificială în securitatea fizică Editia 1
      • MANAGEMENTUL RISCULUI ȘI TEHNICI DE EVALUARE A RISCULUI
      • SECURITATEA LOCUINȚEI
      • STANDARDE EUROPENE PENTRU SISTEMELE DE SECURITATE
      • CPTED – GHID ILUSTRAT
      • Sisteme electronice de control al accesului
      • Formarea Profesionala
      • SISTEME DE SUPRAVEGHERE VIDEO
      • SISTEME DE ALARMĂ LA EFRACȚIE
      • SISTEME ȘI INSTALAȚII DE SEMNALIZARE, ALARMARE ȘI ALERTARE ÎN CAZ DE INCENDIU
      • Calcularea preturilor si ofertarea
      • Analiza Riscurilor la securitatea fizica
      • Plan Afaceri
      • Consultanta de Securitate – Ofertare
      • CPTED 1
      • GDPR Supravegherea Video
      • Acord Prelucrarea Datelor
      • DPIA Pentru Sistemul de Supraveghere Video
      • Managementul Operatiunilor de Securitate
  • Pass It On
  • Contact

Information Controls Businesses – Threat Management Using ISO 27001

November 7, 2016

In today’s world information security is a real challenge and technology, good or bad, is inevitable. Technology is, in fact, the one that determines how we approach the security of information in order to manage security threats.

Technology allows us to do everything at a much faster pace and much more efficient. However, we must not lose sight of the fact that it does the same thing for criminals. We are at a stage where we store, process and transfer data in unimaginable quantities, but it’s the information we extract from it that represents the true value.

A few months ago I wrote an article called “Quality Management – between necessity and indifference” because I noticed there are a lot of people that understand, accept and even want quality, but when one is faced to take necessary measures to assure it, a series of problems appear.

The exact same thing is happening to information we hold and we should protect. We know of its importance, we accept and want its protection. This is why I found interesting an approach to “Information Security Management” starting with the idea that information controls businesses.

Information controls businesses and represents the “based theory of competitive advantage” (Robert M Grant) because no organization can function without critical and reliable information.

That being said, an extremely important question arises: how do I know that my organization secures all the information it holds?

We store in our computers, mobile devices and/or cloud, information about our current or future projects, fabrication processes, financial documentation or even client details that can be accessed from everywhere with an internet connection. We can’t be too sure of their safety, can we?

I must also mention the huge quantity of personal information that should remain confidential, but do we even have the guarantee that these are truly secured?

There is a way to make sure that my organization is efficiently securing its information: implementing an Information Security Management System based on a process that involves full performance control of overseen processes.

Information security of my organization, my clients and partners, is guaranteed by attaining an ISO 27001 certificate.

What does the ISO 27000 family of standards say?

“The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).” – http://www.iso.org

What does the standard ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements say? It “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”

Tricky, right? No worries, in fact, everything is quite simple.

Information security should be viewed from a holistic perspective, in order to face the challenges of preventing real security threats such as fraud, sabotage, espionage, fire, floods or terrorism.

It is not mandatory to be certified, but the advantages offered by implementing an Information Security Management System based on ISO 27001 should bring more interest from the manufacturers and service providers.

We live in a world where managers focus on two major areas: optimizing processes and creating new business strategies that put them ahead of their competitors.

Therefore, in order to adapt to current market demands, clientele and sometimes legal requirements, companies have started to obtain an arsenal of ISO certifications that target several domains and issues: Quality (ISO 9001), Environment (ISO 14001), Occupational Health and Safety (ISO 18001), Information Security Management (ISO 27001), IT Service Management (ISO 20000), Business Continuity (ISO 22301), and the list can go on.

What do all these standards have in common? Risk Management. This should not be seen as a negative element, but more so as an opportunity to identify and improve processes, which only leads to a positive approach to risk.

An approach based on taking risks assumes a proactive and preventive approach, as the costs of preventing will always be lower than those of repairing.

The first and most important step in implementing a standard involves documenting and approaching the company’s activities in an organized manner.

That being said, one of the main roles of efficiently implementing a standard is the protection of both employer and employee. This way, both will have a clear description of what to expect from each other, and a set of rules that will reduce the risk of misunderstanding.

When talking about implementing a management system based on a standard, no matter what the standard is, we must first and foremost understand the real benefits.

Initially, a shiny new certificate may boost the company’s image or even land a new contract. Going beyond the superficial aspect and bragging rights of owning a certificate, we should take a step back and see the real long term benefits implementing a standard will have on any company, small or large.

Of course, beyond all the advantages offered by ISO 27001, there are a series of myths that should be known and addressed.

Dejan Kosutic, in his book “Secure & Simple – A Small Business Guide to Implementing ISO 27001 on Your Own”, presents “What ISO 27001 is not – 7 most common myths”. With his permission, I will list 3 myths the way he presents them.

  1. “The standard requires xyz” – “The standard requires passwords to be changed every three months.” “The standard requires that multiple suppliers must exist.” … The standard doesn’t say anything like that…
  2. “We’ll let the IT department handle it” – This is the management’s favourite – “Information security is all about IT, isn’t it?” …The truth is, implementation of ISO 27001 is more a business project than an IT project.
  3. “This standard is all about documentation” – Documentation is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point of ISO 27001 implementation is that the employees perform their activities in a secure way, and the documentation is here to help you do that.

ISO 27001 brings value to an organization only if the certification represents the presence of good management practices, meaning the system is implemented well.

I truly believe that in order to be successful in a highly competitive market and with high-security risks, any organization needs to implement an Information Security Management System and this objective should not be ignored.

Sources:

  • “Secure & Simple – A Small Business Guide to Implementing ISO 27001 on Your Own” by Dejan Kosutic
  • The International Organization for Standardization (ISO)
  • Mihai Dantis, Business Development Manager South East Europe at ELO Digital Office Romania

Filed Under: Uncategorized

Let’s Connect

  • Email
  • Facebook
  • LinkedIn
  • Pinterest
  • Twitter

© 2025 Ion Iordache · Privacy Policy · Terms of Use

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. You may read more on our Privacy Policy page. However, you may visit "Cookie Settings" to provide a controlled consent.
Privacy Policy Cookie SettingsAccept AllReject All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT