What is ISO/IEC 27001:2013 and why is it relevant?
Code analysis is essential in every organization focused on software development. However, when sensitive information is at play, organizations might want to take an extra step to ensure that those data are well protected. That’s where ISO/IEC 27001:2013 certification has a significant role. More than guaranteeing that developers write better code, it’s a way to show customers that the organization takes its data security seriously.
What is ISO certification?
Maintaining consistent quality standards across different industries and nations might be challenging in today’s global marketplace. In this context, international standards help to keep a level playing field and ensure consistency.
The International Organization for Standardization (ISO) is an independent, non-governmental international organization developing and producing worldwide standards. ISO standards cover various activities, from making products and managing processes to service delivery and supplying materials.
Although ISO develops the standards themselves, a third party is responsible for annual audits and corresponding certification. These certifications — existing in many industries, from information technology to food safety — are a way for organizations to show they comply with all the standardization and quality assurance requirements.
One of the most prevalent ISO standards in information technology is the ISO/IEC 27001:2013. Let’s see what it entails.
What is ISO/IEC 27001:2013?
The ISO/IEC 27001:2013 standard specifies the requirements for establishing, implementing, maintaining, and continually improving an organization’s information security policies and procedures.
Although specific to information security management systems, the requirements set out in ISO/IEC 27001 are generic. As a result, all organizations can apply the standard, regardless of their industry, type, or size.
The ISO/IEC 27001:2013 standard includes three main components: ISO/IEC, 27001, and 2013. We’re going to analyze each one of them in more detail.
ISO/IEC
We already covered ISO: it is the International Standards Organization. But what about IEC? It stands for International Electrotechnical Commission. It is another international standards organization, specifically focused on electrical, electronic, and related technologies. Therefore, IEC works closely with ISO in creating standards for the commonly called “electrotechnology” field.
27001
The number appearing after ISO/IEC classifies the standard. All standards within the ISO 27000 family (they are more than a dozen!) refer to information security management. When following these standards, the goal is to keep information assets secure. The 27001 standard is widely known by professionals in the realm of information technology, and it provides requirements for the information security management system for any kind of digital organization.
2013
The final number refers to the standard version, corresponding to the calendar year ISO launched it. In this case, 2013 is the latest version of ISO 27001, launched in October of that same year.
Why is ISO/IEC 27001:2013 certification relevant?
Let’s be clear: in several cases, ISO/IEC 27001:2013 certification is voluntary, not mandatory. Some organizations choose to implement the standards to benefit from the best practices it contains, but without going through the certification process.
The three-year certification process is lengthy and can seem daunting, with two-stage audits and subsequent yearly checkups. However, it is worth the effort, and being ISO certified offers numerous benefits and advantages for organizations of all industries.
ISO certification has become the norm, and it works as a seal of approval. The benefits include, among others, improved quality management, more efficient processes, increased protection of the company and its assets, increased international reputation, potentially increased revenue or competitive advantage, and enhanced client satisfaction.
The ISO/IEC 27001:2013 shows how data that has been previously collected can remain confidential and secure. This is vital when dealing with sensitive data like health-related information. ISO certification can also help organizations comply with other regulations.
For example, for U.S.-based healthcare organizations, having the ISO/IEC 27001:2013 certification can also help to comply with other frameworks, such as the HIPAA (Health Insurance Portability and Accountability Act). In practice, ISO 27001 consists of 114 security controls, and we can leverage at least 47 to comply with HIPAA requirements.
How Codacy can help you comply with ISO/IEC 27001:2013?
Now that we covered the basics, let’s see precisely how Codacy can help you comply with ISO/IEC 27001:2013. We analyzed the particular case of LOGEX, a leading healthcare analytics company.
We spoke with Tim van Loosbroek, Head of Infrastructure and Security at LOGEX, about how Codacy helps them comply with ISO/IEC 27001:2013 and, in Tim’s words, “get a really nice certificate.”