Is ISO/IEC 27001 the silver bullet that will secure the digital world?
2013 will be remembered as a pivotal year for Information Security. Not only by those working in the industry, but by anyone who followed the news.
Political hacktivism, like the actions of the Syrian Electronic Army, showed that the slightest vulnerability in a computer network could and would be abused to spread political messages to draw the attention of the international public.
Edward Snowden revealed that our online activity is monitored far more than we realise, giving us cause to re-examine our online behaviour and data security.
2013 was also the year in which top-level domain registries were attacked on an unprecedented scale, sometimes successfully. It was the year in which the digital underworld understood that controlling a domain name is the perfect attack vector for those with malicious objectives.
From this evidence it’s easy to conclude that technology alone is no longer sufficient to protect us from cybercrime and digital warfare. But what is?
Will the information security standard ISO/IEC 27001 do what technology can’t?
Not as such, because that’s not what it’s for.
What it does do, however, is help organisations to mature their thinking about data security and consequently act more securely in a digital world, thereby reducing their vulnerability to cyber-attacks.
How it works
ISO/IEC 27001 is a management standard, just like the possibly more well-known ISO 9000 and ISO 14000, and is designed to help organisations manage Information Security.
Through a continuous cycle of improvement and certification processes, external auditors search for proof that the existence of the ISO/IEC 27001 cycle is effective and is in fact improving information security within the certified organisation.
Acquiring certification is an intensive process as it means meeting certain information security standards and changing the way data is handled. But maintaining certification is equally intensive as it requires continuous growth and improvement of security standards, also setting targets that are increasingly difficult to reach.
At EURid we believe that information security is a fundamental building block of our business. To help us handle information security in a structured manner, both in our technical operations and business processes, we choose to follow the ISO/IEC 27001 security standard.
It may not be the silver bullet - there will probably never be a silver bullet – but together with technology we believe it is the best way to protect to the .eu top-level domain for .eu domain name holders and Internet users.
Dirk Jumpertz
Security Manager
EURid, registry for the .eu top-level domain