Topic

Information management

Because all organizations are dependent on ICT and telecoms, you need to ensure that you manage your information in the most effective way. Information management standards provide best practice frameworks to support businesses in efficiently and securely managing their data and to comply with regulations such as GDPR.

Inspiring trust with information resilience

Learn how standards help to embed information best practices at the heart of your organization’s operations

Managing information in the cloud: Best practice frameworks
Article

Managing information in the cloud: Best practice frameworks

It’s predicted that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud during the next five years. This is no surprise as the cloud is one of the main digital technologies developing in today’s fast-moving world. It’s encouraging that CEOs recognize that it’s crucial for them to champion the use of digital technologies to keep up with today’s evolving business environment. There are however still concerns overusing cloud services and the best approach for adoption. That’s where BSI can help. We recognize that responding to emerging technologies can be difficult, especially with an ever-growing variety of products and services. As a business improvement partner, we work with clients to understand key drivers and help develop the best practice standards that build greater resilience. What influences organizations to store information on the cloud? Business strategy and objectives should help organizations decide the best approach to cloud computing. This may involve using public cloud services, a private cloud, or a hybrid cloud solution. It will often be influenced by your resources and priorities. Security concerns still top the list as a barrier to cloud adoption, particularly with public cloud provisions. 91% of organizations are very or moderately concerned about public cloud security. This isn’t just within IT departments, 61% of IT professionals believe cloud data security is an executive concern. This is critical considering the variety of cloud services that support the wider business operations, such as Customer Relationship Management (CRM) systems, HR self-service portals, and business complaint systems to name a few. Getting executive buy-in can help align cloud service offerings and improve delivery. Plus, it can support instilling a best practice approach to security throughout the business, ensuring all employees are trained on how to recognize information security threats and the action they need to take to support the business. To read more on the topic of cybersecurity, click here. Despite these challenges, many organizations are influenced by the benefits of managing information on the cloud. These benefits include: Agility: you can respond more quickly and adapt to business changes Scalable: cloud platforms are less restrictive on storage, size, number of users Cost savings: no physical infrastructure costs or charges for extra storage, exceeding quotas etc Enhanced security: standards and certification can show robust security controls are in place Adaptability: you can easily adjust cloud services to make sure they best suit your business needs Continuity: organizations are using cloud services as a backup internal solution Standards to help you manage information on the cloud We have a range of standards that focus on putting appropriate frameworks and controls in place to manage cloud security. BS EN ISO/IEC 27001 international standard for an Information security management system (ISMS). It is the foundation of all our cloud security solutions. It describes the requirements for a best practice system to manage information security including understanding the context of an organization, the responsibilities of top management, resource requirements, how to approach risk, and how to monitor and improve the system. It also provides a generic set of controls required to manage information and ensures you assess your information risks and control them appropriately. It’s relevant to all types of organizations regardless of whether they are involved with cloud services or not, to help with managing information security against recognized best practices. BS EN ISO/IEC 27017 is an international code of practice for cloud security controls. It outlines cloud-specific controls to manage security, building on the generic controls described in BS EN ISO/IEC 27002. It’s applicable to both Cloud Service Providers (CSPs) and organizations procuring cloud services. It provides support by outlining roles and responsibilities for both parties, ensuring all cloud security concerns are addressed and clearly owned. Having BS EN ISO/IEC 27017 controls in place is especially important when you procure cloud services that form part of a service you sell to clients. BS EN ISO/IEC 27018 is an international code of practice for Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in BS EN ISO/IEC 27002 and is appropriate for any organization that processes PII. This is particularly important considering the changing privacy landscape and focus on protecting sensitive personal data. Ensure that your organization is efficiently managing data on the cloud by adopting these standards today. Discover BSI Knowledge All businesses need to continually evolve their cybersecurity management in order to effectively manage the cyber risks associated with cloud use. With a BSI Knowledge subscription, you will have the flexibility and visibility to manage the key standards you need in order to improve your cloud security processes with confidence. Build your own custom collection of standards, or opt for access to one of our pre-built modules, such as GBM24 Information Technology - Software & Networking, and keep up-to-date with any relevant changes to your information management strategy. Request to learn more.Read more
The 4 pillars of control: A modern approach to information security controls
Article

The 4 pillars of control: A modern approach to information security controls

An important information security management system standard was revised in 2022. BS EN ISO/IEC 27002 Information technology, cybersecurity and privacy protection—Information security controls provides guidance for organizational information security controls and offers best practices for information security management. The revision of this standard brings a modern approach to managing cybersecurity. It takes into consideration a business’ unique security risk environment, by focusing on the organization’s selection, implementation, and management of security controls. It aims to provide businesses, of every size and sector, with updated security control guidance, with the aim of simplifying it to make it more versatile for choosing and assessing the type of security controls most suited to the organization. Why is BS EN ISO/IEC 27002 on information security controls important for your business? BS EN ISO/IEC 27002 is an important standard that underpins all cybersecurity systems across sectors. Cybersecurity is a key priority of the Digital Sector Strategy and the wider UK Government’s plan in protecting and growing the UK economy, especially with the growing frequency of cyber-attacks. As a result, BS EN ISO/IEC 27002 is a practical tool to support the desired outcomes of the 2021-2026 National Cyber Security Strategy. Every business needs to be implementing measures to protect its information assets. The forced acceleration of digitalization and shift to hybrid working many organizations have experienced since the start of the COVID-19 pandemic, have led to greater vulnerabilities, whilst cybercrime technology has also become more advanced. BS EN ISO/IEC 27002 will help your business to: Identify suitable and proportionate security controls within the process of setting up an Information Security Management System (ISMS) Achieve best practices in information security management Meet legal, statutory, regulatory, and contractual requirements in relation to information security Strengthen risk management and reduce the likelihood of information security breaches Increase confidence in the organization’s ISMS Increase the overall robustness and resilience of ISMS and strengthen risk management Contribute to UN Sustainable Development Goal 9 on industry, innovation, and infrastructure BS EN ISO/IEC 27002 is best used as a supplementary guide based on BS EN ISO/IEC 27001 for identifying suitable and appropriate security controls within the processing of setting up an ISMS and aids businesses in demonstrating a stable ISMS. To read more about how an information security system can support your business, click here. What has changed in the revised BS EN ISO/IEC 27002? Within the revised BS EN ISO/IEC 27002, users will find that there has been a re-structure of the existing controls and the number of security control listed has decreased from 114 to 93, with some controls being removed as they no longer reflect best practices. Steve Watkins, Chair of IST 33, says “The welcome update of BS EN ISO/IEC 27002 brings the control options and descriptions up to date and introduces the concepts of themes and attributes to assist organizations in their selection and deployment of them to manage cybersecurity risks.” Eleven new controls have been introduced in the latest version of the BS EN ISO/IEC 27002 standard. These reflect the evolvement in technologies and industrial practices including threat intelligence, information security for use of cloud services, and data leakage prevention. This will ensure that businesses are able to maintain continuous control over their information security, despite the nature of cyberattacks changing. BS EN ISO/IEC 27002 aims to ensure that no necessary information security control has been overlooked and that the information security management guidance is consolidated into four key areas, making it easier for businesses to adopt. These four thematic categories of controls are Organizational, People, Physical and Technological. Attributes can also be used to filter, sort, and present controls from different perspectives for different audiences. Organizational Organizational controls are controls that help to embed a culture of information security and digital trust in your business. They help your organization to identify threats intelligently. Examples of the organizational controls identified in BS EN ISO/IEC 27002 include threat intelligence, identity management, and business continuity readiness. People People controls help your business to manage the information risk associated with its stakeholders, to protect peoples’ privacy. These people could be employees, customers, supply chain partners, etc. Examples of the people controls identified in BS EN ISO/IEC 27002 include controls relevant to the activities of Human Resources (HR). Physical Physical controls help your business physically monitor what is happening within your organization to minimize the risk of cyberattacks. Examples of the physical controls identified in BS EN ISO/IEC 27002 include physical entry controls and physical security monitoring. Technological Technological controls help your business protect its information using technology to secure your systems. Examples of the technological controls identified in BS EN ISO/IEC 27002 include data leakage prevention and information deletion and data obfuscation, or masking, for privacy and secure coding. Is your business future-ready? Ensure your organization has the tools it needs to establish effective control within its information security management and prevent cyberattacks, by adding the revised BS EN ISO/IEC 27002:2022 to your collection today.
Celebrating the outreach of information security management standards
Article

Celebrating the outreach of information security management standards

BS EN ISO/IEC 27001 is the international high-profile, best-selling information security management system (ISMS) standard. BS EN ISO/IEC 27001 is recognized as the common international language that facilitates many opportunities for growth, trade, and harmonization across all market sectors and with national governments. The standard has also become a game-changer for many organizations that seek to demonstrate conformance to international information security management requirements – this gives the organization the opportunity for their ISMS to be independently assessed and certified. ISMS certification provides trust, assurance and confidence to business and trading partners, governments and consumers. Evolution from a British to an international standard The evolution of BS EN ISO/IEC 27001 has spanned more than thirty years, from the time it was a British Standard: BS 7799-2 Information security management - Code of practice for information security management in 1997 to its progress through ISO as BS EN ISO/IEC 27001 (first published in 2005). Under the leadership of Dr. Edward Humphreys (ISO/IEC Convenor) and the collective energy of the international community of experts, a business-oriented standard for top management was created and maintained for international use. As is the normal practice, BS EN ISO/IEC 27001 has been regularly reviewed and revised over three editions (2005-2022) to ensure the standard remains up-to-date with the needs of business today and incorporating improvements to continue to deliver trust and assurance in the organization’s ISMS. Celebrating international cooperation The development and maintenance of BS EN ISO/IEC 27001 has been a truly global project which has brought together professional experts from many National Standards Bodies (NSBs) and Liaison Organizations (LOs) around the world. The combined global expert opinions and contributions voiced the needs of the global market and its stakeholders, building a standard that is internationally recognized and acclaimed as the leading standard in the field of information security management. The ISO group SC 27/WG 1 has championed the BS EN ISO/IEC 27001 project under the leadership of Dr Humphreys and the international team of world class experts – from the time BSI submitted its standard BS 7799-2 into ISO in the early 21st century until today. An achievement to applaud BSI for its evolution of the initial standard through to the take-up and global outreach by ISO and its international partners. On behalf of the international community, there is much to celebrate to mark the success of BS EN ISO/IEC 27001 – effective management of cyber risks and organizational information assets, giving global business a safe option and for international trade opportunities to flourish, providing international certification across all market sectors. This international cooperation is a most noteworthy achievement of ISO, IEC and its members. Global outreach and benefits The impact of BS EN ISO/IEC 27001 has been a global sensation, having influenced both public and private businesses and industries alike, giving them protection to support their growth, development and investment. BS EN ISO/IEC 27001 is also being referenced in laws and regulations in many countries and in commercial contracts, as something mandated or highly recommended. It can be used as a business tool for providing resilience against cyber-attacks, giving wide protection for the confidentiality, integrity and availability of information and protecting from cyber risks. Today the BS EN ISO/IEC 27001 concept has grown into a set of international standards commonly called the BS EN ISO/IEC 27000 series that encompasses the standard itself and supporting standards and guidance for BS EN ISO/IEC 27001. An international certification success This year 2024, is the 25th year of BS EN ISO/IEC 27001 accredited certification. Over these 25 years, certificates awarded in conformance with BS EN ISO/IEC 27001 have been issued to over 500,000 organizations in over 91 countries. Congratulations are due to all those involved these 25 years, with a big thanks going to BSI and the UK government for their vision and support. A more in-depth narrative of the history of this development is given in three articles published in the SC 27 Journal Vol.2 Issue 01 2022 - The Voyage of 27 Thousand and One - BS 7799-2 to ISO/IEC 27001 - Hall of Fame, World of ISMS. Watch the video series To help you better understand the history and future of the BS EN ISO/IEC 27000 series, BSI has interviewed 5 industry experts to go through the development and benefits of this global standard. Watch them now. The Evolution of ISO/IEC 27001: 30 Years of Information Security Explore How BSI Leads Cybersecurity Innovation in the UK BSI's Global Leadership in Cybersecurity Standards Top Benefits of ISO/IEC 27001 for Your Business Navigating the Intersection of Cybersecurity and AI with BSI Discover BSI Knowledge Subscriptions Being able to effectively manage personal information not only helps your business avoid large fines for data breaches but also helps you gain the digital trust of your stakeholders. With a cost-effective BSI Knowledge subscription, you will have the flexibility and visibility to manage the essential standards you need all in one place, to work confidently and embed a culture of reliable privacy management. Build your own custom collection of standards, or opt for access to pre-set modules, and keep up-to-date with any relevant changes to your standards strategy. Request to learn more.
ISO/IEC 27001 or ISO/IEC 42001: The AI and information security standard decision checklist
Article

ISO/IEC 27001 or ISO/IEC 42001: The AI and information security standard decision checklist

As artificial intelligence (AI) adoption accelerates across industries, ensuring information security and ethical AI governance has become paramount. According to our research, ‘81% of business leaders state their organization is already investing in artificial intelligence (AI).’ However, with this investment comes a host of new challenges, from managing operational risks to adhering to evolving regulations. To aid organizations in addressing these challenges, we’ve developed a free AI and information security standard decision checklist. Designed for decision-makers, consultants, and organizations exploring AI integration, this tool provides guidance on adopting ISO/IEC 42001 for Artificial Intelligence Management Systems (AIMS) or ISO/IEC 27001 for Information Security Management Systems (ISMS). This checklist will help you identify which standard aligns best with your goals, ensuring that your AI initiatives are secure and responsibly managed. Why information security matters in AI development AI systems require large datasets to deliver accurate, high-quality outputs, which raises unique information security and privacy concerns. ISO/IEC 27001 is an industry-leading framework for protecting sensitive data from unauthorized access, breaches, and data loss. It establishes a comprehensive management structure based on the principles of confidentiality, integrity, and availability, ensuring data is handled securely at every level. Key ISO/IEC 27001 components The ISO/IEC 27001 framework emphasizes: Organizational context: Understanding specific industry risks and operational factors. Central information security policies: Defining policies to guide security practices. Risk evaluation and treatment: Identifying and addressing security risks effectively. Resource allocation: Ensuring resources for maintaining and improving information security. Management involvement: Engaging leadership in continuous improvement of information security. Learn more about ISO/IEC 27001 by reading our article Achieve better information security management with the revised BS EN ISO/IEC 27001. Understanding AI risks with ISO/IEC 42001 With the growing focus on AI, ISO/IEC 42001 addresses the unique risks that AI technologies bring, providing an AIMS framework that promotes responsible AI governance across the AI lifecycle—from data collection to model deployment. This standard aids in managing AI-specific risks such as model bias, decision transparency, and unintended social impacts. Learn more about ISO/IEC 42001 by reading our article Maximizing the value of AI for society with BS ISO/IEC 42001. Key considerations for AI security and governance For organizations already utilizing ISO/IEC 27001, it’s essential to evaluate whether: AI risks should be treated separately from traditional information security risks: AI introduces risks that go beyond data protection, affecting model integrity and decision-making processes. Existing ISO/IEC 27001 controls are sufficient: AI’s unique challenges, such as model evasion and bias, may require additional controls provided by ISO/IEC 42001. Determining your path: ISMS, AIMS, or both? The decision to adopt ISO/IEC 27001, ISO/IEC 42001, or a combination of both should be informed by your organization’s data maturity and readiness for AI integration. For companies with robust data governance practices, ISO/IEC 42001 may provide the added structure needed for responsible AI management, while others may benefit from starting with the foundational security measures in ISO/IEC 27001. Take the next step: Get your free copy of the checklist Ready to secure your organization’s data and responsibly manage AI? Our checklist walks you through these considerations, allowing you to assess your readiness and understand how each standard fits within your organization’s risk management and governance strategy. Download our free AI and Information Security Standard Decision Interactive Checklist now to guide your strategy with ISO/IEC 42001 and ISO/IEC 27001.

Key Information Management Standards

Browse or Search our ICT & Telecommunications Standards Catalogue

Trending Topics in Information Management