THE
STANDARD FOR
MANAGEMENT OF INFORMATION SECURITY
ISO 27001
THE
STANDARD FOR
|
|
ISO 27001 is a specification for the management of Information Security. It is applicable to all sectors of industry and commerce and not confined to information held on computers. It addresses the security of information in whatever form it is held.
The information may be printed or written on paper, stored electronically, transmitted by post or email, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, ISO 27001 helps an organisation ensure it is always appropriately protected.
Information security can be characterized as the preservation of:
| Confidentiality | - ensuring that access to information is appropriately authorized |
| Integrity | - safeguarding the accuracy and completeness of information and processing methods |
| Availability | - ensuring that authorized users have access to information when they need it |
ISO 27001 contains a number of control objectives and controls. These include:
Why is Information Security Needed?
Information is now globally accepted as being a vital asset for most organizations and businesses. As such, the confidentiality, integrity, and availability of vital corporate and customer information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. ISO 27001 is intended to assist with this task. It is easy to imagine the consequences for an organisation if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it can (and has) led to the collapse of companies.Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO 27001 involves three steps:
| 1 | Creation of a management framework for information | This sets the direction, aims, and objectives of information security and defines a policy which has management commitment |
| 2 | Identification and assessment of security risks | Security requirements are identified by a methodical assessment of security risks. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks. |
| 3 | Selection and implementation of controls | Once security requirements have been identified, controls should be selected and implemented. The controls need to ensure that risks are reduced to an acceptable level and meet an organisation’s specific security objectives. Controls can be in the form of policies, practices, procedures, organisational structures and software functions. They will vary from organisation to organisation. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. |
One section of the actual standard provides guidance on its use.
Adopting ISO 27001 cannot make your organisation immune from security breaches. But, it will make them less likely and reduce the consequential cost and disruption if they do occur.
Once all the requirements of ISO 27001 have been met, you can apply for an external audit. This should be carried out by a third party, accredited certification body. In the UK, the body should be accredited by UKAS (look for the 'crown and tick' logo).
The chosen certification body will firstly review relevant documentation. This should include the declared policy, scope of the ISMS, documents covering the risk assessment, risk treatment plan, Statement of Applicability and documented security procedures. The auditors will also be checking that you have identified and implemented the controls that are appropriate to your size and type of business. This process is normally carried out at your premises, being more beneficial to both parties.
This is followed at a later date by a full on-site audit to ensure that working practices observe these procedures and stated objectives, and that appropriate records are kept.
After a successful audit, a certificate of registration to ISO 27001 will be issued. There will then be surveillance visits (usually once or twice a year) to ensure that the system continues to work.
What are the Benefits of Certification to ISO 27001
Obtaining a certificate from a third party certification body demonstrates that you have addressed, implemented and controlled the security of your information. But the benefits don’t stop there. Certification also:
ISOQAR has an enviable record for customer satisfaction for its certification services. A friendly, practical and straightforward approach has led to continual steady growth through referrals from contented clients and management consultants. ISOQAR only employs auditors that have empathy with this approach. They are also carefully allocated by their experience in the industry they are auditing. This results in a practical, meaningful audit, carried out in an air of mutual understanding. ISOQAR firmly believes that its audits should ‘add value’ and benefit the organisation being audited.
Please Contact Us if you would like a copy of our Guidance Price List. Please note, however, the controls each organisation needs to put in place to ensure the security of its information vary widely. Consequently we ask companies seeking registration to complete a short questionnaire about its activities and selected security controls. This information enables us to ascertain how long the audit will take and provide an accurate written quotation (without any obligation). ISOQAR’s fees are amongst the lowest you will find for such certification services. Click here to go to the quotation questionnaire.
There is an increasing trend for organisations to combine all its management systems into one integrated system. ISO 27001 has been produced to harmonize with other standards and specifications such as ISO 9001 (Quality), ISO 14001 (Environmental) and OHSAS 18001 (Health & Safety).
By reducing duplication and providing a centralised, document control system, integrated systems not only help organisations internally, but may also offer cost benefits for the third-party certification audit.
The actual standard is available from The Stationery Office.
Click here 
to go straight to the Stationery Office on-line bookstore.
On-line, search for ‘27001’ under products and you will also find other useful tools to help with its implementation. There are products for the Code of Practice, preparing for ISO 27001 certification, guidance for risk assessment and gap analysis tools for checking your processes and controls.
For more information on ISO 27001, using the Internet for research is by far the best approach. There is a wealth of information at www.c-cure.org, www.gammassl.co.uk, www.dti.gov.uk/cii/datasecurity and www.securityrisk.co.uk.
Many organisations choose to employ the services of a management consultant to help with the implementation of management systems such as ISO 27001. An example of such a consultancy can be found at www.insight.co.uk. ISOQAR can provide a more comprehensive list of consultants local to you. Please call us on 0161-865 3699 or click here for more contact details
None of these web sites are recommended, vetted, approved by, or connected with ISOQAR. They are merely listed to help you find out more about ISO 27001.