ISO 27001 Certification
ISO 27001 is a specification to help you manage the security of your information. It’s relevant for all businesses and isn’t confined to information held on computers. It addresses the security of your information in whatever form it’s held.
The information may be printed, stored electronically, transmitted by post or email, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it’s shared or stored, ISO 27001 helps you ensure it’s always appropriately protected.
ISO 27001 contains a number of control objectives and controls. These include:
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance with legal and contractual requirements
Why’s Information Security Needed?
Information’s now globally accepted as being a vital asset for most organisations and businesses. As such, the confidentiality, integrity, and availability of vital corporate and customer information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. ISO 27001 is intended to assist with this task. It’s easy to imagine the consequences for an organisation if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it can (and has) led to the collapse of companies.
Adopting ISO 27001 cannot make your organisation immune from security breaches. But, it’ll make them less likely and reduce the consequential cost and disruption if they do occur.[hr]
How do you start to implement ISO 27001? What’s involved?
Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO 27001 involves three steps:
1. Creation of a management framework for information
- This sets the direction, aims, and objectives of information security and defines a policy which the management are committed to.
2. Identification and assessment of security risks
- Security requirements are identified by a methodical assessment of security risks. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks.
3. Selection and implementation of controls
- Once security requirements have been identified, controls should be selected and implemented. The controls need to ensure that risks are reduced to an acceptable level and meet an organisation’s specific security objectives. Controls can be in the form of policies, practices, procedures, organisational structures and software functions. They’ll vary from organisation to organisation. Expenditure on controls needs to be balanced against the business harm likely to result from security failures.
There’s a section in ISO 27001 which provides guidance on its use.[hr]
Being Audited to ISO 27001
Once all the requirements of ISO 27001 have been met, you can apply for an external audit. This should be carried out by a third party, certification body, such as Approachable Certification.
Approachable Certification will firstly review relevant documentation. This should include the declared policy, scope of the ISMS, documents covering the risk assessment, risk treatment plan, Statement of Applicability and documented security procedures. The auditor(s) will also be checking that you’ve identified and implemented the controls that are appropriate to your size and type of business. This process is normally carried out at your premises, being more beneficial to both parties.
This is followed at a later date by a full on-site audit to ensure that working practices observe these procedures and stated objectives, and that appropriate records are kept.
After a successful audit, a certificate of registration to ISO 27001 will be issued. There’ll then be surveillance visits (usually once or twice a year) to ensure that the system continues to work.[hr]
What are the Benefits of ISO 27001 Certification?
Obtaining a certificate from a third party certification body, such as Approachable Certification, demonstrates that you’ve addressed, implemented and controlled the security of your information. But the benefits don’t stop there. Certification also:
- Comforts customers, employees, trading partners and stakeholders – in the knowledge that your management information and systems are more secure.
- Demonstrates credibility and trust.
- Can lead to cost savings. Even a single information security breach can involve significant costs.
- Establishes that relevant laws and regulations are being met.
- Ensures that a commitment to Information Security exists at all levels throughout an organisation.
Integrated Management Systems
There are several common elements between ISO 9001 and ISO 27001, such as management review, document control, corrective action and the requirement for trained personnel. These can be combined into a single, joint system (together with Health & Safety if desired). Assessment of joint systems is available and may be the most suitable and cost effective approach for some companies. Read more here.[hr]
What’s the cost of ISO 27001 Certification?
Approachable Certification is committed to transparent pricing with fees based on a fixed daily rate. Criteria for the number of days required for a particular audit is specified by the accreditation body, UKAS, and depends on such factors as the size of your company and what it does.
Consequently, a few specific details are required to provide you with a competitive quotation. Please call us on 0161 667 6610, email us or tell us a bit more about what your organisation does on this quotation request form.
Why Approachable Certification?
Why choose Approachable Certification for your ISO 27001 Certification Audit? Simple. We’re competitive, friendly and offer excellent customer service. Read more here.