ISO 27001 sets out how an organisation should approach its information security management project and specifies the essential components. Recognised internationally, achieving certification provides credibility for those claiming their client’s information is secure.
ISO 27001 is suited to organisations of any size or sector, enabling you to prove you meet the same standard as the likes of Google, Microsoft and Xerox.
What are the benefits of ISO/IEC 27001 Information Security Management?
• Suits all types of businesses, large or small
• Reduces and prevents information security risks
• Proven to help win and retain business
• Identify risks and put controls in place to manage or reduce them
• Flexibility to adapt controls to all or selected areas of your business
• Gain stakeholder and customer trust that their data is protected
• Demonstrate compliance and gain status as preferred supplier
• Meet more tender expectations by demonstrating compliance
Stories of security breaches are increasingly commonplace. In a survey by well-known research company in UK and US, they found that 39% of IT staff could get unauthorised access to their organisation’s most sensitive information. Perhaps unsurprisingly then, fines in 2014 for data security breaches increased by over 200%, according to the Information Commissioner’s Office.
ISO 27001, developed as a best practice standard by experts and target users, enables organisations to formalise and verify that risks are properly identified and managed. More importantly, it demonstrates to clients and stakeholders that their information is taken seriously.
As a result, not only does it make winning business easier, in a difficult financial climate, it helps to retain existing custom too. As a result, the standard will soon start paying for itself.
A straight-forward approach
As a generic management standard, ISO 27001 can be used by those of any size, across all sectors. It provides a framework so that staff know who does what, when and how. As a result, research has shown it can help improve staff morale and retention.
Once implemented, ISO 27001 helps work become more measurable, repeatable and scalable. This has positive implications on your bottom-line: the greater consistency and traceability achieved reduces mistakes and the resulting costly re-work.
In addition, ISO 27001 is designed to be compatible with other popular standards such as ISO 20000 (ITSM), ISO 9001 (Quality), ISO 14001 (Environmental) and OHSAS 18001 (Health and Safety). All or any combination of these complementary standards can be integrated seamlessly. By sharing many principles, choosing an integrated management system can reduce cost considerably
ISO 27001 Certification Process
An information security management system, or ISMS, can be certified to ISO 27001. This diagram shows the basic steps required to set up an ISMS according to the standard. The scope and security policy specify what the ISMS covers and management commitment to the system. The risk assessment, selection of security controls and the implementation of those controls through risk treatment plans gives a working system.
The statement of applicability is effectively a cross check on the controls listed in the standard.
Once in place, internal audits, annual internal management reviews and certification surveillance audits ensure that the system is maintained and improved. This follows the standard ISO Plan Do Check Act approach (PDCA).
STEP 1: Preparation
If you are new to the ISO 27001 standard you may require some guidance before you start. We are able to provide customised, in-house overview training and you’ll also find some articles on our website containing generic hints and tips about implementing the standard. When you’re ready, we’ll discuss your certification requirements with you and provide a competitive quotation so you can budget accurately. Your quotation will be based upon factors such as your organisation’s activities, how many locations you operate from and how many people you employ.
STEP 2: Application
Once you decide to proceed, we’ll assign a ISMS Consultant to you. He or she will be your principal contact throughout the registration process and beyond. They will build up detailed knowledge of your organisation and will be able to answer any questions you might have. Many of our clients start with a Pre-assessment. This optional service is where we review your current circumstances as part of a Gap Analysis and agree an action plan with you.
STEP 3: Pre-Audit Assessment (known as Stage 1)
GYR ISMS Consultant will visit you to explain the standard and undertake a conformity assessment of your current arrangements for information security management. You will then receive a detailed report including all required actions. Together, you will then determine the appropriate timetable for your Audit Assessment.
STEP 4: Audit Assessment (known as Stage 2)
Once you are ready for your formal Audit Assessment, your GYR ISMS Consultant will make the required arrangements for you. On completion, you will be informed of the Auditor’s recommendation before he or she leaves your premises.
STEP 5: Registration & Certificate
Following the Auditor’s recommendation, your registration will be reviewed and if approved your certification will be confirmed. Soon after, your certificate of conformity to the ISO 27001 standard will be issued and sent to you.
STEP 6: Continual Assessment
Having achieved certification, you’ll want to maintain your registration and your GYR ISMS Consultant will remain on hand to undertake the required annual reviews to ensure you continue to meet the requirements of ISO 27001 depending upon consulting options you chose.
ISO 27001 Certification Costs
We work with clients of all sizes and even if you are a one person business, we can help you. With no long term contract to tie you in, we provide an affordable, transparent route toachieving ISO 27001 certification.
Ultimately, your quotation will be based on factors such as your organisation’s activities, how many locations you operate from and how many people you employ (if any).
We provide all of our clients with a competitive proposal with no hidden extras. We won’t charge you extra for travel, registration fees or for your certificate (unlike many others).
ISO 27001 History
The ISO/IEC 27000 series consists of information security standards published by the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC). The series is designed to give best practice recommendations on information security management including risks and controls within the context of an overall Information Security Management System (ISMS), in a similar way to management systems for quality assurance (ISO 9000) and environmental protection (ISO 14000).
There are seven published standards within the ISO 27001 family, with ISO 27001 being the standard organisations can be certified to. ISO 27001 can be traced back to the British Standard 7799, which was published in 1995. Originally written by the DTI, after several revisions ISO took it on as ISO/IEC 17799.
There was a second part to BS 7799 which formed the implementation of an ISMS. This element was what ISO 27001 became in November 2005 (therefore named ISO 27001:2005). In the same year ISO 27001 was published, a third part of BS 7799 was released. This covers risk analysis and management, aligning with the ISO 27001 standard.
The basic objective of the ISO 27001 standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organisation for Economic Cooperation and Development) principles, governing security of information and network systems.
In October 2013 the latest revision of the standard titled ISO 27001:2013 was published. Based on ISO’s new high-level Annex SL structure, it is designed to be even more compatible with other Management System Standards. The update also takes into account the changing world of information security, where cybercrime, cloud computing and smartphones have changed the landscape considerably. More than ever, it is recognised as the best practice standard for demonstrating information security credentials.
ISO 22301 is one of the newest international standards published by ISO. Published in 2012, it is its first edition. The ISO 22301 standard is one of the first standards worldwide to be harmonized with the Annex SL that prescribes structure of all current and future management system standards (MSS).
Largely based on BS 25999-2 (a British standard for business continuity), the ISO 22301 prescribes requirements for organizations that want to build a business continuity management system (BCMS). Any type of an organization can refer to this standard and develop its own business continuity management system. Once all applicable criteria are addressed, the organization can get this business continuity management system certified from a third party certification body.
Most organizations develop a quality management system because –
• There is a need to assure their customers and other stakeholders that the organization has the ability to meet continuity requirements and expectations. A certification to ISO 9001 will provide that confidence to the organization’s customers.
• The organizations need to develop a consistent approach to deal with disruptive incidents. An application of ISO 22301 offers a framework to the organization where a documented management system to cater to this need can be developed.
ISO 22301 helps the organizations to build an effective mechanism for identifying and satisfying continuity and recovery needs.
The benefits that an organization may get out of the application of ISO 22301 and its certification are mostly based on the management’s intentions of selecting this standard. However, following examples provide some direction about what the ISO 22301 can give the organizations in terms of its benefits –
• Enhanced brand image – An ISO 22301 certified organization is considered to be more reliable than the other similar organizations that are not certified. The certification is globally accepted and is gained by large as well as small organizations hence bring an equality in terms its positioning of brand reliability per say. The certification adds up to the brand recognition.
• Increase in the trust level of all interested parties – Interested parties of an organization include its customers, owners, employees, suppliers, bankers, etc. All these have certain expectations in terms of the continuity of the organization. Due to the improved availability of the processes and controls for reacting to business disruptions, after application of ISO 22301 based business continuity management system, the organization long term existence becomes more and more ensured. As a result the trust level and confidence of all these interested parties get a boost.
• Improved involvement of people – A business continuity management system built around ISO 22301 demands active involvement and participation of people. Involving people at all levels improves the team spirit and boosts internal cohesiveness of the organization.
• Protection of reputation – Due to the readiness of the organization to react to any kind of business disruption or emergency situation, the organization is able to deal with such incidents effectively and thus prevents any damage to the reputation of the organization.
• Prevention of losses – Any business disruption may bring up expenditure or losses that are resulting out of the impact of the incident. An effectively designed business continuity framework will help an organization to prevent such losses by reacting systematically to such incidents.
• The ISO 22301 standard applies to all types of organizations including commercial organizations, non-profit organizations, Governments, Educational Institutes, NGOs, etc.
Roadmap to certification
• GYR Technology helps the customers from initiation of the business continuity management system development till certification to ISO 22301.
• Following 12-step process describes the high level approach to implementation and certification –