Welcome to our area devoted to the ISO 27001 Information Security Management standard with separate section covering its history, the benefits of certification, and what it costs to become certified.
Information is a valuable asset that can make or break your business. When properly managed it allows you to operate with confidence. Information security management gives you the freedom to grow, innovate and broaden your customer-base in the knowledge that all your confidential information will remain that way.
The latest ISO 27001:2013 standard is for all organisations large or small and covers all sectors, including charities and the voluntary sector. The standard applies to organisations who wish to assess and prevent information security risks.
ISO 27001 Certification Benefits
ISO 27001 sets out how an organisation should approach its information security management project and specifies the essential components. Recognised internationally, achieving certification provides credibility for those claiming their client’s information is secure.
ISO 27001 is suited to organisations of any size or sector, enabling you to prove you meet the same standard as the likes of Google, Microsoft and Xerox.
What are the benefits of ISO/IEC 27001 Information Security Management?
- Suits all types of businesses, large or small
- Reduces and prevents information security risks
- Proven to help win and retain business
- Identify risks and put controls in place to manage or reduce them
- Flexibility to adapt controls to all or selected areas of your business
- Gain stakeholder and customer trust that their data is protected
- Demonstrate compliance and gain status as preferred supplier
- Meet more tender expectations by demonstrating compliance
Stories of security breaches are increasingly commonplace. In a survey by well-known research company in UK and US, they found that 39% of IT staff could get unauthorised access to their organisation’s most sensitive information. Perhaps unsurprisingly then, fines in 2014 for data security breaches increased by over 200%, according to the Information Commissioner’s Office.
ISO 27001, developed as a best practice standard by experts and target users, enables organisations to formalise and verify that risks are properly identified and managed. More importantly, it demonstrates to clients and stakeholders that their information is taken seriously.
As a result, not only does it make winning business easier, in a difficult financial climate, it helps to retain existing custom too. As a result, the standard will soon start paying for itself.
A straight-forward approach
As a generic management standard, ISO 27001 can be used by those of any size, across all sectors. It provides a framework so that staff know who does what, when and how. As a result, research has shown it can help improve staff morale and retention.
Once implemented, ISO 27001 helps work become more measurable, repeatable and scalable. This has positive implications on your bottom-line: the greater consistency and traceability achieved reduces mistakes and the resulting costly re-work.
In addition, ISO 27001 is designed to be compatible with other popular standards such as ISO 20000 (ITSM), ISO 9001 (Quality), ISO 14001 (Environmental) and OHSAS 18001 (Health and Safety). All or any combination of these complementary standards can be integrated seamlessly. By sharing many principles, choosing an integrated management system can reduce cost considerably
ISO 27001 Certification Process
An information security management system, or ISMS, can be certified to ISO 27001. This diagram shows the basic steps required to set up an ISMS according to the standard. The scope and security policy specify what the ISMS covers and management commitment to the system. The risk assessment, selection of security controls and the implementation of those controls through risk treatment plans gives a working system.
The statement of applicability is effectively a cross check on the controls listed in the standard.
Once in place, internal audits, annual internal management reviews and certification surveillance audits ensure that the system is maintained and improved. This follows the standard ISO Plan Do Check Act approach (PDCA).
STEP 1: Preparation
If you are new to the ISO 27001 standard you may require some guidance before you start. We are able to provide customised, in-house overview training and you’ll also find some articles on our website containing generic hints and tips about implementing the standard. When you’re ready, we’ll discuss your certification requirements with you and provide a competitive quotation so you can budget accurately. Your quotation will be based upon factors such as your organisation’s activities, how many locations you operate from and how many people you employ.
STEP 2: Application
Once you decide to proceed, we’ll assign a ISMS Consultant to you. He or she will be your principal contact throughout the registration process and beyond. They will build up detailed knowledge of your organisation and will be able to answer any questions you might have. Many of our clients start with a Pre-assessment. This optional service is where we review your current circumstances as part of a Gap Analysis and agree an action plan with you.
STEP 3: Pre-Audit Assessment (known as Stage 1)
GYR ISMS Consultant will visit you to explain the standard and undertake a conformity assessment of your current arrangements for information security management. You will then receive a detailed report including all required actions. Together, you will then determine the appropriate timetable for your Audit Assessment.
STEP 4: Audit Assessment (known as Stage 2)
Once you are ready for your formal Audit Assessment, your GYR ISMS Consultant will make the required arrangements for you. On completion, you will be informed of the Auditor’s recommendation before he or she leaves your premises.
STEP 5: Registration & Certificate
Following the Auditor’s recommendation, your registration will be reviewed and if approved your certification will be confirmed. Soon after, your certificate of conformity to the ISO 27001 standard will be issued and sent to you.
STEP 6: Continual Assessment
Having achieved certification, you’ll want to maintain your registration and your GYR ISMS Consultant will remain on hand to undertake the required annual reviews to ensure you continue to meet the requirements of ISO 27001 depending upon consulting options you chose.
ISO 27001 Certification Costs
We work with clients of all sizes and even if you are a one person business, we can help you. With no long term contract to tie you in, we provide an affordable, transparent route to achieving ISO 27001 certification.
Ultimately, your quotation will be based on factors such as your organisation’s activities, how many locations you operate from and how many people you employ (if any).
We provide all of our clients with a competitive proposal with no hidden extras. We won’t charge you extra for travel, registration fees or for your certificate (unlike many others).
ISO 27001 History
The ISO/IEC 27000 series consists of information security standards published by the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC). The series is designed to give best practice recommendations on information security management including risks and controls within the context of an overall Information Security Management System (ISMS), in a similar way to management systems for quality assurance (ISO 9000) and environmental protection (ISO 14000).
There are seven published standards within the ISO 27001 family, with ISO 27001 being the standard organisations can be certified to. ISO 27001 can be traced back to the British Standard 7799, which was published in 1995. Originally written by the DTI, after several revisions ISO took it on as ISO/IEC 17799.
There was a second part to BS 7799 which formed the implementation of an ISMS. This element was what ISO 27001 became in November 2005 (therefore named ISO 27001:2005). In the same year ISO 27001 was published, a third part of BS 7799 was released. This covers risk analysis and management, aligning with the ISO 27001 standard.
The basic objective of the ISO 27001 standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organisation for Economic Cooperation and Development) principles, governing security of information and network systems.
In October 2013 the latest revision of the standard titled ISO 27001:2013 was published. Based on ISO’s new high-level Annex SL structure, it is designed to be even more compatible with other Management System Standards. The update also takes into account the changing world of information security, where cybercrime, cloud computing and smartphones have changed the landscape considerably. More than ever, it is recognised as the best practice standard for demonstrating information security credentials.