owow

Companies are keeping ever increasing amounts of data on all of their customers, suppliers, staff and anyone else linked to the business. In the past, before the advent of office computing, records were commonly kept in paper format, with heavy sales ledgers filled in by hand and kept under lock and key overnight. Staff files would be kept in a locked filing cabinet in the manager's office, sales leads kept on a Rotadex or other small filing system, and invoices stored. Data stored in this way was easy to keep secure as it was simply a matter of locking it up at night, restricting access to named key holders and ensuring sensitive information was kept in a secure location at all times.

Nowadays even the smallest business has at least one computer and information will be held digitally rather than in paper format either on the individual computers or on servers. Keeping the data secure is much more challenging for any organisation as issues such as hacking or malicious use of the information have to be taken into consideration.

Most companies take practical steps to limit access to data by having levels of clearance for different members of staff administered with passwords and layers of access. Systems administrators or the IT department can allow access to certain information databases, while simultaneously denying access to material which is either too sensitive or irrelevant to the job being done. As long as passwords are not shared and systems administrators constantly review access criteria this system can be very effective at managing information within the company's staff.

Dealing with malicious threats originating externally to the company is a different matter, and companies protect their servers and internal networks using firewalls and encryption. There are many different ways of securing servers and keeping information safe, and it is not easy for companies to sift through it all and decide which the best overall method is. In order to help businesses through this minefield, the ISO 27001 standard was developed. This is part of a range of similar standards which help companies across the world tap into best practice advice on information security. There are three parts to the accreditation process, which are available to companies worldwide. Independent auditors will assess the company's current information security systems and make recommendations for improvement, then return to the company at a later date to ensure that recommendations have been implemented and that systems are secure. There is also a requirement for annual reviews by independent auditors to make sure systems are developing correctly as the organisation changes.