Security standard boosts consumer confidence
Data breaches are is on everyone's mind.
In fact, data breaches are what triggered a need for ISO 27001, an international standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission. It provides best practice guidance on protecting the confidentiality, integrity and availability of information such as individuals' bank accounts and health and defense data.
John Rizzi, president/CEO of e-Dialog, spoke with DM News Associate Editor Giselle Abramovich about the standard and what he believes is marketers' obligation to adhere to the non-mandatory best practice in order to ensure consumers' data security.
What is ISO27001?
John Rizzi: ISO 27001 certification focuses strictly on data security. The specification requires that a company strictly follow a set of stringent business practices and policies that have been developed to facilitate data security and systems uptime, limit vulnerabilities, mitigate risks and perform other steps to ensure data security.
What does the ISO code of practice preach?
The ISO creates standards across many industries and business functions. Each standard is a specification that forms the basis of an external third-party verification and certification scheme. More than just a code of practice, ISO 27001 puts into place a rigorous system of measurements and processes that include physical access restrictions; network security; intrusion and virus protection; controls around code changes for system stability and business continuity; and requirements for auditing, management accountability and continuous improvement. Before an organization receives the ISO 27001 certification, it must meet a series of exacting requirements and pass a detailed review conducted and validated by outside certified experts.
ISO 27001 certification shows that a business has taken proactive and preventative measures to protect clients' confidential data.
Do all companies need to comply with these rules?
ISO 27001 is not required by law or a regulation; it is voluntary. However, as information technology governance is increasingly recognized as a specific area for board and corporate attention, international standards related to information security have become one of the cornerstones of an effective IT governance framework. According to a November 2005 Forrester Research report, "Businesses Can Now Get an ISO Security Certification," ISO 27001 is being used by organizations to validate the security of a business partner, with some global organizations even requiring it before doing business with a company. Companies that choose not to pursue this certification can quickly lose ground in the global economy to competitors that are willing to get certified.
Is it costly for a company to implement such a management system?
The ISO 27001 compliance effort typically requires significant resources in terms of time, effort and expenditure. The cost can vary widely depending on company size and how good its practices were before they started the process.
What are the benefits of implementing it from a marketing perspective?
Marketers rely on vast amounts of customer data to make their campaigns relevant and highly targeted. The more customer-specific data they can collect and utilize to optimize offers, promotions, timing and more, the better the results. Therefore, marketers have an obligation to ensure the utmost security of their customers' information, and there is no better way to uphold that responsibility than with an ISO 27001 certification.
With ISO 27001 and the security assurance it provides, companies can be sure their data, including critical customer-specific information used in marketing programs, will be protected to the fullest extent possible. This helps increase confidence in marketing programs by senior management, corporate security officers and internal auditors. Furthermore, security and IT data integrity are a competitive advantage today and can help protect a company's brand reputation and stock valuation. The CMO Council found in a recent survey of more than 2,000 consumers that "over half would either strongly consider or definitely take their business elsewhere if their personal information were compromised." The council also cites Emory University researchers who found that a company's stock price falls on average 0.63 percent to 2.10 percent in value following the report of a security breach.
What are some of the challenges that a company may face when implementing ISO 27001?
While a dedicated team has to be committed to complete and maintain the certification, it is also true that every individual in the company is affected. For example, not only are new controls put in place for physical security (e.g., the doors are always locked) but every desktop and laptop computer is now centrally managed so that only authorized software and drivers can be installed, anti-virus/ malware solutions are strictly maintained, access can be monitored, passwords are required to be updated, idle computers are automatically locked and more.
How would a company go about implementing it?
Without question a company should seek the assistance of an outside consulting firm that specializes in ISO certification. They will provide detailed guidance that will help the company pass its first test for certification.
Forrester Research recommends that companies make ISO 27001 certification a process, not a one-time effort or project. The certification requires careful planning, including developing a business case, carefully defining the scope, defining metrics for measurement and setting a realistic timeframe for certification.