What is ISO 27001?

ISO 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) .

It is a standard which specifies how information security is managed. It is not restricted to electronic records but includes written and all other forms of information storage and distribution.

What is information security?

Information security in this context means:

• Confidentiality - ensuring that access to any information is appropriately authorised
  
• Availability - ensuring that authorised users can access information when they need it
  
• Integrity - preserving the accuracy and completeness
  

Who is it applicable to?

ISO 27001 is applicable to every type of organisation. The more information you have and the more valuable that information is to you and your organisation then the more important information security becomes.

What is involved?

ISO 27001 is typically delivered in 3 steps that require organisations to:

1. Create a management framework for information security management - that details the strategy, aims and objectives of information security in the organisation. This framework must have widespread management backing across all parts of the organisation
2. Identify and assess information security risks – a methodical audit of security risks will allow the organisation to determine appropriate actions and priorities for dealing with any risks or potential risks identified
3. Undertake the selection and implementation of controls to mitigate risks – these controls refer to the methods used in security risk mitigation and may include: policies, practices and procedures, specific organisational structures and software implementations. These controls will vary according to how an organisation operates. The key element in determining which controls to apply is that there is a positive cost/benefit ratio.

What are the benefits of ISO 27001?

Typically the benefits of ISO 27001 include some or all of the following – depending on the nature of the organisation:

• Reassuring customers and prospective customers – giving you a marketing edge
• Reducing the risk of a costly information leak – particularly commercially sensitive or high negative PR value
• Making compliance with other systems easier including other international standards and specific customer driven requirements

In addition, the process of achieving compliance with ISO 27001 can often lead to organisations reflecting on management structures, policies and procedures. Many find that improvements can be made to the organisation with benefits far wider than just information security.

How do I acheive certification to ISO 27001?

Once all the requirements of ISO 27001 have been met, you can apply for certification. This should be carried out by a UKAS accredited certification body.
The certification body will carry out the certification process in 3 stages:

• Stage 1 - will involve a review of your documentation including your policy, scope of the ISMS, risk assessment, risk treatment plan, Statement of Applicability, and security procedures. This will also include a review of the controls you have implemented to ensure that they are appropriate to the size and nature of your business.
• Stage 2 - will be a full on-site audit to ensure that what happens in practice follows these documented procedures and that adequate records are being kept. Following a successful audit, a certificate of registration to ISO 27001 will be issued.
• Stage 3 – is the process of on-going auditing, known as surveillance visits. These are carried out by the assessment body once or twice per year to ensure that the procedures are being maintained

Find out more

find out about certification

download our brochure

or contact us for more information