ISO 27001 is something that is not applicable to the IT industry only. Very often, companies that are not very obvious candidates for ISO 27001 are also implementing it – for example, pharmaceutical companies, health organizations, government bodies, etc.
And this is what ISO 27001 is all about: it provides the methodology for companies to find out which potential incidents could happen to them (i.e., risks), and then define procedures on how to change employee behavior in order to prevent such incidents from happening.
Why are many non-IT companies interested in ISO 27001? Because, believe it or not, IT is not the key element in protecting information. In most cases, the companies already have all the technology in place – e.g., firewalls, antiviruses, backups, etc. However, they still have data breaches because this technology is not enough. This is because the employees do not know how to use that technology in a secure way, but more importantly – the technology is very limited when it comes to stopping an insider attack, so obviously something else needs to be deployed.
Collect data for specific, explicit purposes. Avoid using it in ways that aren't aligned with the original intent.
Only gather the data absolutely necessary. Excess or irrelevant data should not be collected.
Maintain data that's up-to-date and correct. Regularly review and rectify any inaccuracies.
Retain data only for the required duration. Delete it once it's no longer necessary for its initial purpose.
Keep data safe and protected from breaches. Ensure confidentiality at all times.