Why ISO Certifications Make Sense For IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:06 AM

Why ISO Certifications Make Sense For IT

Certifications from the International Organization for Standards (ISO) are important when considering which vendors to choose for your IT needs. But when was the last time you thought about applying ISO standards to your own internal IT operations?

6 Ways To Master The Data-Driven Enterprise
6 Ways To Master The Data-Driven Enterprise
(Click image for larger view and slideshow.)

You're probably quite familiar with International Organization for Standards (ISO) certifications when considering which vendors to choose for your IT needs. Such standards are helpful in advising customers about which gear and applications are up to snuff. But when was the last time you thought about applying ISO standards to your own internal IT operations?

For IT organizations, ISO standards can reassure management and users that your data and processes are safe -- and worth the investment.

Three standards in particular -- ISO 20000, ISO 27001, and ISO 22301 -- relate to IT service management, information security, and business continuity, and can be applicable to many IT departments. "These ISO standards are applicable to any size of company and any industry," Dejan Kosutic, CEO of 27001 Academy, said in a telephone interview. "It's just the philosophy of the ISO standards that they apply to every company."

Kosutic, whose company specializes in education about ISO standards and programs to help companies gain ISO certification, said that most of the IT operations his company sees are looking at the standards to help them increase the quality of the service they offer the enterprise. So what do these three standards do?

ISO 20000 is labeled as a standard for information technology service management. In practice, Kosutic said, "ISO 20000 is about how to manage IT services that are provided to the rest of the organization."

ISO 27001 is all about information security management. According to the ISO's web site, "Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties." How would an IT department know whether or not to consider ISO 27001 certification? Kosutic said, "They have to ask themselves whether they have confidential information or sensitive information that needs to be protected. If it's on a single computer, then they may not need the standard, but if it's spread out on multiple systems, then the standard can be very useful."

(Image: geralt via Pixabay)

(Image: geralt via Pixabay)

ISO 22301 covers business continuity for, as the ISO says, "... when things go seriously wrong." Unlike the other two standards here, which are management system standards, ISO 22301 is a societal security standard. According to the ISO, the committee that develops societal security standards takes a very broad view. "This technical committee develops standards for the protection of society from, and in response to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures." Obviously, for most modern organizations, information technology is a key component of the business assets that must be preserved in order for the business to continue.

[ What could possibly go wrong? Read 7 Data Center Disasters You'll Never See Coming. ]

All ISO standards are, to a great extent, about "documenting what you do and doing what you document." Some standards require the things that you do to be best practices; others do not. In every case, though, the documentation of practices and processes must be written and stored in a particular format that meets ISO specifications. The combination of uncertainty and precision is why many organizations assume that any ISO certification effort must be very expensive and require the involvement of a consulting organization.

How, then, should an IT department begin to understand whether ISO certification is worth pursuing? There are at least three options for those looking for information. First, a quick search of the Web shows that there are many books available covering each of these three standards. Next, the ISO itself has a great deal of information available, though it must be said that their information tends to be highly technical. It's also possible to find peers with whom to discuss the issue. Conferences and trade shows can provide opportunities to network with those who are going through, or have gone through, a certification process.

Kosutic said that some situations may, indeed, call for consulting help. "For a company that has never had any experience with ISO standards, it's true that it's very hard to implement a standard without external help," he said. "These standards tend to be complex and with no experience you could go in the wrong direction. It's possible to implement too many rules and strict policies that don't apply to the company."

The issues around ISO certification can be complicated by the fact that many standards require the involvement of stakeholders outside the IT department. Kosutic gave an example of an information security policy that goes beyond the IT department. "Let's say the CEO takes notes on a physical notebook. They might jot down notes on strategy. If they lose the notebook in a public airport or if someone steals the notebook, it would be a big problem for the security of the information," he said. How does this relate to an ISO standard? "The CEO isn't part of the IT department and the notebook isn't IT infrastructure, but this is information that needs to be protected," said Kosutic.

Have you gone through an ISO certification process? We'd like to hear about your experience, and what the certification has meant for your IT department, in the comment section below.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/8/2015 | 1:44:07 PM
ISO Should be a consideration for many organizations
Great post. I think a lot of folks get overwhelmed by the sheer number of technical certifications out there, and often overlook ISO certifications as more of a business process certification, not necessarily a technical one as it relates to security.  There's a huge need for better awareness of the data in your environment, and the potential implications it has whether in digital or even non-digital format (I love the analogy about whether a notebook with written notes is considered valuable data).  Hoepfully we see better integration of these standards, and that organizations (particularly IT and Operations) understand the impact these standards have on technical and digital assets, and look at integrating them as part of best practices.
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll