ISO 27001 Information Security Management

What is ISO 27001?

ISO 27001 is an internationally acclaimed standard that provides the framework for an (ISMS) – Information Security Management System.  It’s a systematic approach that helps to keep sensitive information secure.

The implementation of ISO 27001 also helps to ensure compliance with all applicable laws and regulations including compliance to GDPR.

The standard provides a robust framework for both the internal and external control of data.

It helps you to identify areas of vulnerability in data breaches and provides an effective framework for the minimising and prevention of risks and threats.

Attaining ISO 27001 demonstrates to all persons of interest including customers and stakeholders that your organisation takes data security very seriously.

Today, cyber-attacks are one of the highest risks that an organisation can face. Without an effective ISMS you could be subject to substantial fines and loss of reputation.

That’s why last year alone, certifications’ to ISO 27001 increased by a massive 20%.

Who does it apply too?

It applies to all sectors of industry and commerce because it addresses the security of the information you hold, in whatever form it is held or shared. 

How do I attain ISO 27001?

The implementation of your ISMS will need to be scaled to the needs and size of your organisation. It should cover your objectives, complexity and demands as regards to your security requirements.

The standard takes into account your technology, processes and the people connected to your organisation both internally and externally.

Detailed in the Annex (the framework) of the standard are over a 100 areas that you are required to consider.  There are certain things that you are required to do.However, the standard is not prescriptive in that you have to meet all the 100 plus areas.

Firstly, you must review all the areas categorised under a group of 14 headings such as:-

Information Security policies     Supplier relationships     Communications security

Human resource security             Access control                  Asset management 

You need to determine which areas both apply and don’t apply to you.  In cases were they don’t apply – why don’t they apply?  However, if they do apply, how should they be addressed and how can you aim to improve upon them continually.

This means that your ISMS will be unique to your organisation.

A Gap analysis to assess your security management systems against the requirements of ISO 27001 would be required, followed by a plan to achieve standard compliance.

UKAS Accreditation

When applying for UKAS accreditation, you will need to ensure that your ISMS not only complies with the standard but that it is fit for purpose. It should be appropriate to both the size and structure of your company.  It should also comply with all contractual arrangements with any third-parties.

Accredited third-party certification demonstrates that you have addressed, implemented and controlled the security of your information and such measures are considered to be effective.

What are some of the benefits of ISO 27001?

  • Legislation – ensures compliance with all applicable regulations and laws.
  • Keeps confidential information and business assets secure
  • It ensures authorisation for people to have access to information
  • Stakeholders gain greater assurance that you are safeguarding sensitive information
  • The standard reduces the likelihood of security breaches and fines
  • Helps to generate new business – provides a competitive advantage
  • Helps to reduce third-party inspection as to your information security practices
  • Meets customer satisfaction in gives assurance that their data is protected and upheld
  • Covers potential risks and threats
  • Continually improves your business security processes 

Crown Management specialise in ISO 27001.

For advice/information or to arrange a free of charge review call us on 0161 620 2083.