You're probably quite familiar with International Organization for Standards (ISO) certifications when considering which vendors to choose for your IT needs. Such standards are helpful in advising customers about which gear and applications are up to snuff. But when was the last time you thought about applying ISO standards to your own internal IT operations?
For IT organizations, ISO standards can reassure management and users that your data and processes are safe -- and worth the investment.
Three standards in particular -- ISO 20000, ISO 27001, and ISO 22301 -- relate to IT service management, information security, and business continuity, and can be applicable to many IT departments. "These ISO standards are applicable to any size of company and any industry," Dejan Kosutic, CEO of 27001 Academy, said in a telephone interview. "It's just the philosophy of the ISO standards that they apply to every company."
Kosutic, whose company specializes in education about ISO standards and programs to help companies gain ISO certification, said that most of the IT operations his company sees are looking at the standards to help them increase the quality of the service they offer the enterprise. So what do these three standards do?
ISO 20000 is labeled as a standard for information technology service management. In practice, Kosutic said, "ISO 20000 is about how to manage IT services that are provided to the rest of the organization."
ISO 27001 is all about information security management. According to the ISO's web site, "Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties." How would an IT department know whether or not to consider ISO 27001 certification? Kosutic said, "They have to ask themselves whether they have confidential information or sensitive information that needs to be protected. If it's on a single computer, then they may not need the standard, but if it's spread out on multiple systems, then the standard can be very useful."
ISO 22301 covers business continuity for, as the ISO says, "... when things go seriously wrong." Unlike the other two standards here, which are management system standards, ISO 22301 is a societal security standard. According to the ISO, the committee that develops societal security standards takes a very broad view. "This technical committee develops standards for the protection of society from, and in response to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures." Obviously, for most modern organizations, information technology is a key component of the business assets that must be preserved in order for the business to continue.
[ What could possibly go wrong? Read 7 Data Center Disasters You'll Never See Coming. ]
All ISO standards are, to a great extent, about "documenting what you do and doing what you document." Some standards require the things that you do to be best practices; others do not. In every case, though, the documentation of practices and processes must be written and stored in a particular format that meets ISO specifications. The combination of uncertainty and precision is why many organizations assume that any ISO certification effort must be very expensive and require the involvement of a consulting organization.
How, then, should an IT department begin to understand whether ISO certification is worth pursuing? There are at least three options for those looking for information. First, a quick search of the Web shows that there are many books available covering each of these three standards. Next, the ISO itself has a great deal of information available, though it must be said that their information tends to be highly technical. It's also possible to find peers with whom to discuss the issue. Conferences and trade shows can provide opportunities to network with those who are going through, or have gone through, a certification process.
Kosutic said that some situations may, indeed, call for consulting help. "For a company that has never had any experience with ISO standards, it's true that it's very hard to implement a standard without external help," he said. "These standards tend to be complex and with no experience you could go in the wrong direction. It's possible to implement too many rules and strict policies that don't apply to the company."
The issues around ISO certification can be complicated by the fact that many standards require the involvement of stakeholders outside the IT department. Kosutic gave an example of an information security policy that goes beyond the IT department. "Let's say the CEO takes notes on a physical notebook. They might jot down notes on strategy. If they lose the notebook in a public airport or if someone steals the notebook, it would be a big problem for the security of the information," he said. How does this relate to an ISO standard? "The CEO isn't part of the IT department and the notebook isn't IT infrastructure, but this is information that needs to be protected," said Kosutic.
Have you gone through an ISO certification process? We'd like to hear about your experience, and what the certification has meant for your IT department, in the comment section below.