/image%2F4672769%2F20200330%2Fob_b6bd5b_voice-off-heart.jpg)
All the time I hear things about ISO 27001 and I don't realize whether to giggle or cry over them. As a matter of fact it is interesting how individuals will in general settle on choices about something they know next to no about - here are the most widely recognized misguided judgments:
"The standard requires..."
"The standard expects passwords to be changed like clockwork." "The standard necessitates that different providers must exist." "The standard requires the fiasco recuperation site to be at any rate 50 km far off from the fundamental site." Really? The standard doesn't utter a word that way. Sadly, this sort of bogus data I hear rather regularly - individuals as a rule botch best practice for prerequisites of the norm, yet the issue is that not all security rules are appropriate to a wide range of associations. Also, the individuals who guarantee this is recommended by the standard have presumably never perused the norm. iso 27001 consultants
"We'll let the IT office handle it"
This is the administration's top pick - "Data security is about IT, isn't it?" Well, not so much - the most significant parts of data security incorporate IT measures, yet in addition hierarchical issues and human asset the board, which are ordinarily far from IT division.
"We'll execute it in a couple of months"
You could execute your ISO 27001 of every 2 or 3 months, yet it won't work - you would just get a lot of arrangements and strategies nobody thinks about. Usage of data security implies you need to execute changes, and it takes effort for changes to happen. Also that you should actualize just those security controls that are truly required, and the examination of what is truly required requires some serious energy - it is called hazard evaluation and hazard treatment.
"This standard is about documentation"
Documentation is a significant piece of ISO 27001 execution, however the documentation isn't an end in itself. The primary concern is that you play out your exercises in a protected manner, and the documentation is here to assist you with doing it. Likewise, the records you produce will assist you with estimating whether you accomplish your data security objectives and empower you to address those exercises that fail to meet expectations.
"The main advantage of the standard is for showcasing purposes"
"We are doing this just to get the testament, aren't we?" Well, this is (sadly) the manner in which 80 percent of the organizations think. I'm doing whatever it takes not to contend here that ISO 27001 shouldn't be utilized in limited time and deals purposes, yet you can likewise accomplish other significant advantages - like forestalling the instance of WikiLeaks transpiring. The point here is - perused ISO 27001 first before you structure your sentiment about it; or, if it's excessively exhausting for you to understand it (which I let it be known is), talk with somebody who has some genuine information about it. Furthermore, attempt to get some different advantages, other than advertising. At the end of the day, increment your odds to make a beneficial interest in data security.