What is information security?
Information security is about managing and protecting information based on requirements for:
- confidentiality – that information does not reach unauthorised parties
- integrity – that information is accurate and has not been tampered with
- availability – that information is accessible when needed
Information security is also an important part of protecting personal privacy. Protecting information about individuals is a prerequisite for meeting data protection requirements.
Disruptions to access to information can affect an organisation’s ability to function. A systematic approach to information security enables the organisation to continue operating even if something unexpected happens, such as an outage, a disruption, or information ending up in the wrong hands.
Certification according to ISO/IEC 27001
An organisation can build an information security management system according to the international standard ISO/IEC 27001 and then have it certified.
Certification is particularly relevant for organisations that handle large amounts of sensitive or valuable information, for example within:
- healthcare
- the financial sector
- research and development
A certification shows customers, partners, and authorities that the organisation works systematically with information security.
Certification according to ISO/IEC 27701 – for organisations that handle personal data
Personal data management and information security are closely linked. Protecting the confidentiality, integrity, and availability of personal data is a prerequisite for effective data protection work, which makes ISO/IEC 27001 a natural starting point for data protection issues as well.
ISO/IEC 27701 is a standard specifically designed for personal data management systems. It was previously an extension to ISO/IEC 27001, but is now a standalone standard. This means an organisation can certify its management system directly against ISO/IEC 27701, without also being certified according to ISO/IEC 27001.
Swedac accredits certification bodies for both ISO/IEC 27001 and ISO/IEC 27701.
Information for those who want to certify their management system
Certification bodies design their certification process according to the requirements of SS-EN ISO/IEC 17021. Among other things, there are requirements for:
the initial certification assessment to be carried out in two stages on-site follow-up to be carried out at least once a year a more thorough evaluation of the system’s effectiveness and need for changes to be carried out after a maximum of three years, as a basis for the next three-year period.Information for those who want to become accredited
Accreditation is assessed against Swedac’s applicable regulations (STAFS), the requirement standard for certification bodies certifying management systems, ISO/IEC 17021-1, and the standard SS-EN ISO/IEC 27006. These standards can be purchased from SIS, the Swedish Standards Institute.
Guidance documents are also available from the international organisations IAF and EA.