Organisations today operate in an increasingly high threat environment. We hear of major corporations being hacked, leaked data, and their services, infrastructure and domains taken offline against their will. Smaller organisations suffer the same – anonymity is no longer a guarantee of safety (if it ever was).
As providers of competency management software, Lexonis takes this threat seriously. Keeping our clients’ data safe is our priority. It is against this background that we have decided to pursue ISO 27001 Certification.
In a nutshell, ISO 27001 specifies a set of internationally agreed standards for implementing an Information Security Management System (ISMS) for an organisation. ISO 27001 Certification, meanwhile, simply means that Lexonis is not only committed to implementing an ISMS to the ISO standard, but also to being independently audited to prove that we meet it.
How does this help Lexonis to operate in this high threat environment?
Structure: ISO 27001 provides a robust, standardised methodology for approaching information security. Not only does ISO 27001 provide organisations with a basic list of security controls to consider, but it also includes processes for identifying, assessing and implementing new security controls, ensuring that consistent and flexible coverage of threats is maintained. Moreover, this standardisation means that different organisations’ ISMS’s are inter-comprehensible and even, to some extent, inter-operable.
Risk: Core to the ISO 27001 standard is its risk-based approach to information security. If the standardised structure of the system promotes consistent coverage of threats, the risk assessment and subsequent risk treatment plan mandated by ISO 27001 ensures that Lexonis’ ISMS addresses information security flexibly and effectively. High risk threats are prioritised in terms of resources and controls, whilst low risk threats are monitored and re-evaluated as circumstances change.
Continuous Improvement: Woven throughout an ISO 27001 ISMS is the requirement to continuously improve the system. Mechanisms must be put in place to undertake effective corrective and preventative measures, and internal and external audits not only scrutinise the ISMS’ processes and procedures to confirm that they are in line with the standard, but are explicitly intended to provide feedback and to identify opportunities for improvement. Indeed, proving that we have improved our ISMS between audits is a requirement of ISO 27001. At every stage the expectation and requirement is that our ISMS is a living, breathing, system which strives for ever improved performance.
These three aspects of the ISO 27001 standard combine together answer to the question “How does ISO 27001 help Lexonis operate in a high threat environment?” by expressing a single principal – that perfect is the enemy of better.
No structured system can ever account for every threat, not every threat is equal and no serious view of information security can ever take the task to be complete. Nevertheless, ISO 27001 establishes a good baseline and builds in capacity to expand the system to meet new, or unanticipated threats; it prioritises information security efforts according to risk, and it designates a direction of travel for all ISMS’ operating under its’ rubric.
Lexonis recognises that there is no such thing as perfect information security, but if you are using our competency management software you can rest reassured that through our implementation of ISO 27001, Lexonis is working towards the ‘gold standard’ of information security.