Why ISO Certifications Make Sense For IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:06 AM

Why ISO Certifications Make Sense For IT

Certifications from the International Organization for Standards (ISO) are important when considering which vendors to choose for your IT needs. But when was the last time you thought about applying ISO standards to your own internal IT operations?

6 Ways To Master The Data-Driven Enterprise
6 Ways To Master The Data-Driven Enterprise
(Click image for larger view and slideshow.)

You're probably quite familiar with International Organization for Standards (ISO) certifications when considering which vendors to choose for your IT needs. Such standards are helpful in advising customers about which gear and applications are up to snuff. But when was the last time you thought about applying ISO standards to your own internal IT operations?

For IT organizations, ISO standards can reassure management and users that your data and processes are safe -- and worth the investment.

Three standards in particular -- ISO 20000, ISO 27001, and ISO 22301 -- relate to IT service management, information security, and business continuity, and can be applicable to many IT departments. "These ISO standards are applicable to any size of company and any industry," Dejan Kosutic, CEO of 27001 Academy, said in a telephone interview. "It's just the philosophy of the ISO standards that they apply to every company."

Kosutic, whose company specializes in education about ISO standards and programs to help companies gain ISO certification, said that most of the IT operations his company sees are looking at the standards to help them increase the quality of the service they offer the enterprise. So what do these three standards do?

ISO 20000 is labeled as a standard for information technology service management. In practice, Kosutic said, "ISO 20000 is about how to manage IT services that are provided to the rest of the organization."

ISO 27001 is all about information security management. According to the ISO's web site, "Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties." How would an IT department know whether or not to consider ISO 27001 certification? Kosutic said, "They have to ask themselves whether they have confidential information or sensitive information that needs to be protected. If it's on a single computer, then they may not need the standard, but if it's spread out on multiple systems, then the standard can be very useful."

(Image: geralt via Pixabay)

(Image: geralt via Pixabay)

ISO 22301 covers business continuity for, as the ISO says, "... when things go seriously wrong." Unlike the other two standards here, which are management system standards, ISO 22301 is a societal security standard. According to the ISO, the committee that develops societal security standards takes a very broad view. "This technical committee develops standards for the protection of society from, and in response to, incidents, emergencies and disasters caused by intentional and unintentional human acts, natural hazards and technical failures." Obviously, for most modern organizations, information technology is a key component of the business assets that must be preserved in order for the business to continue.

[ What could possibly go wrong? Read 7 Data Center Disasters You'll Never See Coming. ]

All ISO standards are, to a great extent, about "documenting what you do and doing what you document." Some standards require the things that you do to be best practices; others do not. In every case, though, the documentation of practices and processes must be written and stored in a particular format that meets ISO specifications. The combination of uncertainty and precision is why many organizations assume that any ISO certification effort must be very expensive and require the involvement of a consulting organization.

How, then, should an IT department begin to understand whether ISO certification is worth pursuing? There are at least three options for those looking for information. First, a quick search of the Web shows that there are many books available covering each of these three standards. Next, the ISO itself has a great deal of information available, though it must be said that their information tends to be highly technical. It's also possible to find peers with whom to discuss the issue. Conferences and trade shows can provide opportunities to network with those who are going through, or have gone through, a certification process.

Kosutic said that some situations may, indeed, call for consulting help. "For a company that has never had any experience with ISO standards, it's true that it's very hard to implement a standard without external help," he said. "These standards tend to be complex and with no experience you could go in the wrong direction. It's possible to implement too many rules and strict policies that don't apply to the company."

The issues around ISO certification can be complicated by the fact that many standards require the involvement of stakeholders outside the IT department. Kosutic gave an example of an information security policy that goes beyond the IT department. "Let's say the CEO takes notes on a physical notebook. They might jot down notes on strategy. If they lose the notebook in a public airport or if someone steals the notebook, it would be a big problem for the security of the information," he said. How does this relate to an ISO standard? "The CEO isn't part of the IT department and the notebook isn't IT infrastructure, but this is information that needs to be protected," said Kosutic.

Have you gone through an ISO certification process? We'd like to hear about your experience, and what the certification has meant for your IT department, in the comment section below.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/8/2015 | 1:44:07 PM
ISO Should be a consideration for many organizations
Great post. I think a lot of folks get overwhelmed by the sheer number of technical certifications out there, and often overlook ISO certifications as more of a business process certification, not necessarily a technical one as it relates to security.  There's a huge need for better awareness of the data in your environment, and the potential implications it has whether in digital or even non-digital format (I love the analogy about whether a notebook with written notes is considered valuable data).  Hoepfully we see better integration of these standards, and that organizations (particularly IT and Operations) understand the impact these standards have on technical and digital assets, and look at integrating them as part of best practices.
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Diversity in IT: The Business and Moral Reasons
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  6/20/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Flash Poll