A cross-cutting issue in technological development is security, or rather, the lack of it. This urgent and present need has motivated experts to determine what work teams can do to improve their security and discourage those who want to take advantage of it or misuse it. When human groups agree on how to do something, standards are created; in this case, the international standard ISO 27001 was defined, specifying a set of best practices for establishing, implementing, maintaining, and improving Information Security Management Systems.
ISO 27001 does not eliminate all your security problems, but it proposes a compliance floor and a focus on the points a company should address to reduce the risk of facing problems. In this way, it defines good working practices, requesting the implementation of protocols in advance based on identifying your context, capacity, and needs, promoting and encouraging awareness, and recording evidence and controls.
The scope of the standard covers, for example, the care and protection of workers, physical workplaces, devices and infrastructure used, document handling, and, of course, digital information. In other words, the standard covers various assets relevant to developing, operating, and fulfilling the organization’s objectives. In the context of ISO, these assets are called “information assets”, which can be found in all processes, systems, networks, and people where information is collected, processed, stored, or transmitted.
Information assets are the basis from which the analysis of security risks is performed, classifying their importance for the company based on their characteristics of Confidentiality, Integrity, and Availability. Also, each risk derived from the asset analysis is valued considering the impact and probability of occurrence. These parameters help the team become aware of critical elements, potential problems, and risks, and prioritize what needs to be done or improved.
To carry out all these processes and safety objectives, the standard also proposes the formation of a safety committee led by a safety officer(s). The function of this committee is to define the policies, procedures, and methodologies to be followed by the company/work team to comply with ISO requirements. It is important to emphasize that complying with ISO is a commitment that must be assumed by the different parts of the company, considering each member’s responsibilities, rights, and duties.
At the same time, we are assisted by ISO 27002, which proposes controls for compliance with ISO 27001. In this way, the definition of policies, procedures, and methodologies is made more accessible, and the focus is again shifted to where it matters. It should be noted that ISO 27002 is a guide but not a standard for becoming certified.
We have made a pencil sketch of what ISO 27001 is and the benefits it can bring to a team or company regarding its security. To prove that we are doing what we claim, we undergo a certification process. Nos certificamos, porque queremos demostrar que hacemos esto de una forma establecida, esperable y aceptada.
In the case of Frogmi, we seek to reassure our customers, with formal actions, that our products and procedures comply with securing and safeguarding their information and trust. In this way, we contribute to reducing their security risk while supporting them in optimizing in-store management, thus reinforcing our value proposition.
Written by Joshua Garvs, CTO Frogmi.