ISO 27001 - Information Security Management Standard (ISMS)
ISO 27001 - What is it?
ISO 27001 is a specification for the management of Information Security. It is applicable to all sectors of industry and commerce and not confined to information held on computers. It addresses the security of information in Gain ISO 27001 certification by completing our Free Quote form.
whatever form it is held.
ISO 27001 is one of the standards in the ISO 27000 family.
The information may be printed or written on paper, stored electronically, transmitted by post or email, shown on films, or spoken in conversation.
Whatever form the information takes, or means by which it is shared or stored,
ISO 27001 helps an organisation ensure it is always appropriately protected.
Information security can be characterized as the preservation of:
- Confidentiality - ensuring that access to information is appropriately authorised
- Integrity - safeguarding the accuracy and completeness of information and processing
methods
- Availability - ensuring that authorized users have access to information when they
need it
ISO 27001 contains a number of control objectives and controls.
These include:
- Security policy
- Organizational security
- Asset classification and control
- Personnel security
- Physical and environmental security
- Communications and operations management
- Access control
- System development and maintenance
- Business continuity management
- Compliance
Why is Information Security Needed?
Information is now globally accepted as being a vital
asset for most organizations and businesses. As such, the confidentiality, integrity,
and availability of vital corporate and customer information may be essential
to maintain competitive edge, cash-flow, profitability, legal compliance and commercial
image. ISO 27001 is intended to assist with this task. It is easy to imagine the
consequences for an organisation if its information was lost, destroyed, corrupted,
burnt, flooded, sabotaged or misused. In many cases it can (and has) led to the
collapse of companies.
How do you start to implement ISO 27001? What is involved?
Developing an Information Security Management System (ISMS)
that satisfies the requirements of ISO 27001 involves three steps:
| What is involved? |
| 1 |
Creation of a management framework for information |
This sets the direction, aims, and objectives of information
security and defines a policy which has management commitment |
| 2 |
Identification and assessment of security risks |
Security requirements are identified by a methodical
assessment of security risks. The results of this assessment will help guide
and determine the appropriate management action and priorities for managing
information security risks. |
| 3 |
Selection and implementation of controls |
Once security requirements have been identified, controls
should be selected and implemented. The controls need to ensure that risks
are reduced to an acceptable level and meet an organisation’s specific security
objectives. Controls can be in the form of policies, practices, procedures,
organisational structures and software functions. They will vary from organisation
to organisation. Expenditure on controls needs to be balanced against the
business harm likely to result from security failures. |
One section of the actual standard provides guidance on its use.
Adopting ISO 27001 cannot make your organisation immune
from security breaches. But, it will make them less likely and reduce the consequential
cost and disruption if they do occur.
Being Audited to ISO 27001
Once all the requirements of ISO 27001 have been met, you
can apply for an external audit. This should be carried out by a third party,
accredited certification body. In the UK, the body should be accredited by UKAS
(look for the 'crown and tick' logo).
The chosen certification body will firstly review relevant
documentation. This should include the declared policy, scope of the ISMS, documents
covering the risk assessment, risk treatment plan, Statement of Applicability
and documented security procedures. The auditors will also be checking that
you have identified and implemented the controls that are appropriate to your
size and type of business. This process is normally carried out at your premises,
being more beneficial to both parties.
This is followed at a later date by a full on-site audit
to ensure that working practices observe these procedures and stated objectives,
and that appropriate records are kept.
After a successful audit, a certificate of registration
to ISO 27001 will be issued. There will then be surveillance visits (usually once
or twice a year) to ensure that the system continues to work.
This is covered in more detail in ISOQAR’s Audit Procedure information sheet.
What are the Benefits of Certification to ISO 27001?
Obtaining a certificate from a third party certification
body demonstrates that you have addressed, implemented and controlled the security
of your information. But the benefits don’t stop there. Certification also:
- Comforts customers, employees, trading partners and stakeholders
– in the knowledge that your management information and systems are secure.
- Demonstrates credibility and trust.
- Can lead to cost savings. Even a single information security
breach can involve significant costs.
- Establishes that relevant laws and regulations are being
met.
- Ensures that a commitment to Information Security exists
at all levels throughout an organisation.
Why choose ISOQAR for your Certification Audit?
ISOQAR has an enviable record for customer satisfaction for its certification
services. A friendly, practical and straightforward approach has led to continual
steady growth through referrals from contented clients and management consultants.
ISOQAR only employs auditors that have empathy with this approach. They are
also carefully allocated by their experience in the industry they are auditing.
This results in a practical, meaningful audit, carried out in an air of mutual
understanding. ISOQAR firmly believes that its audits should ‘add value’ and
benefit the organisation being audited.
What is the cost of ISO 27001 Certification?
Please Contact Us if you
would like a copy of our Guidance Price List. Please note, however, the controls
each organisation needs to put in place to ensure the security of its information
vary widely. Consequently we ask companies seeking registration to complete
a short questionnaire about its activities and selected security controls. This
information enables us to ascertain how long the audit will take and provide
an accurate written quotation (without any obligation). ISOQAR’s fees are amongst
the lowest you will find for such certification services. Click
here to go to the quotation questionnaire.
Where to obtain further information or help
The actual standard can be obtained from The Stationery Office. Visiting www.tsoshop.co.uk is the easiest way. Try searching for ISO 27001 requirements to reduce the quantity of search results you'll get from ISO 27001 alone.
ISOQAR provides a comprehensive range of Training Courses relevant to the standards we offer. These range from awareness about the standards to knowledge about how to create an appropriate management system. Full and current information can be viewed at www.isoqar.com/training.
Additionally, we have set up a technical team that is available to help with any queries you may have. Please email us or call us on 0161 865 3699 so that one of our team can discuss a variety of solutions that are available to you.
We are just one click or call away from all the guidance you need.
