ISO 27001 Information Security Management Standard (ISMS)
ISO 27001 specifies the management of Information Security. Applicable to all sectors of industry and commerce, it is not confined just to information held on electronic systems, but addresses the security of information in whatever form it is held.
Information is now globally accepted as being a vital asset for most organisations and businesses. As such, the confidentiality, integrity, and availability of vital corporate and customer information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. ISO 27001 is intended to assist with this task. It is easy to imagine the consequences for an organisation if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it can (and has) led to the collapse of companies.
ISO 27001 is part of the ISO 27000 series, the generic name given to a family of international standards developed to provide a framework around which an information security management system can effectively be implemented. These standards are given below:
- ISO 27000 – ISMS Introduction & Vocabulary
- ISO 27001 – ISMS Requirements (revised BS 7799 Part 2:2005)
- ISO 27002 – Code of practice for information security management
- ISO 27003 – ISMS implementation guidance
- ISO 27004 – Information security metrics and measurements
- ISO 27005 – Information security risk management
- ISO 27006 – Requirements for bodies providing audit and certification of information security management systems
- ISO 27000 is maintained by the International Organisation for Standardisation (ISO) and is administered by accreditation and certification bodies. The standards are revised every few years to keep them up-to-date
Benefits of ISO 27001 Certification
Gaining certification from a UKAS accredited certification body (such as ISOQAR) demonstrates that the security of your information has been addressed, implemented and properly controlled. But the benefits don’t stop there:
- Customers, employees, trading partners and stakeholders are comforted in the knowledge that your management information and systems are secure.
- Demonstrates credibility and trust.
- Cost savings – even a single information security breach can involve significant expense.
- Establishes that relevant laws and regulations are being adhered to.
- Shows that a commitment to Information Security exists at all levels throughout an organisation.
Information security can be characterised as the preservation of:
- Confidentiality - ensuring that access to information is appropriately authorised
- Integrity - safeguarding the accuracy and completeness of information and processing methods
- Availability - ensuring that authorised users have access to information when they need it
ISO 27001 contains a number of control objectives and controls. These include:
- Security policy
- Organisational security
- Asset classification and control
- Personnel security
- Physical and environmental security
- Communications and operations management
- Access control
- System development and maintenance
- Business continuity management
How do you start to implement ISO 27001? What is involved?
Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO 27001 involves three steps:
One section of the actual standard provides guidance on its use.
Adopting ISO 27001 cannot make your organisation immune from security breaches. But, it will make them less likely and reduce the consequential cost and disruption if they do occur.
Being Audited to ISO 27001
Once all the requirements of ISO 27001 have been met, you can apply for an external audit. This should be carried out by a third party, accredited certification body. In the UK, the body should be accredited by UKAS (look for the ‘crown and tick’ logo).
The chosen certification body will firstly review relevant documentation. This should include the declared policy, scope of the ISMS, documents covering the risk assessment, risk treatment plan, Statement of Applicability and documented security procedures. The auditors will also be checking that you have identified and implemented the controls that are appropriate to your size and type of business. This process is normally carried out at your premises, being more beneficial to both parties.
This is followed at a later date by a full on-site audit to ensure that working practices observe these procedures and stated objectives, and that appropriate records are kept.
After a successful audit, a certificate of registration to ISO 27001 will be issued. There will then be surveillance visits (usually once or twice a year) to ensure that the system continues to work.
This is covered in more detail in ISOQAR’s Audit Procedure information sheet.
Why choose ISOQAR for your Certification Audit?
ISOQAR has an enviable record for customer satisfaction for its certification services. A friendly, practical and straightforward approach has led to continual steady growth through referrals from contented clients and management consultants. ISOQAR only employs auditors that have empathy with this approach. They are also carefully allocated by their experience in the industry they are auditing. This results in a practical, meaningful audit, carried out in an air of mutual understanding. ISOQAR firmly believes that its audits should ‘add value’ and benefit the organisation being audited.
What is the cost of ISO 27001 Certification?
Please contact us if you would like guidance prices. Please note, however, the controls each organisation needs to put in place to ensure the security of its information vary widely. Consequently we ask companies seeking registration to complete a short questionnaire about its activities and selected security controls. This information enables us to ascertain how long the audit will take and provide an accurate written quotation (without any obligation). ISOQAR’s fees are amongst the lowest you will find for such certification services. Click here to go to the quotation questionnaire.
Obtain further information or help
ISOQAR provides a comprehensive range of Training Courses relevant to the standards we offer. These range from awareness about the standards to knowledge about how to create an appropriate management system. Full and current training information can be viewed here.
Additionally, we have a technical team that is available to help with any queries you may have. Please email us or call us on 0161 865 3699 so that one of our team can discuss a variety of solutions that are available to you.