ISO 27001 is the internationally recognised standard for controlling risks to your information security management system (ISMS). ISO 27001 sets out standardised requirements which help you to implement, operate, maintain and improve your ISMS. If you become ISO 27001 certified you prove to clients and other stakeholders that you are a responsible organisation that takes every possible measure to manage information security risks.
What are the risks to information security?
Potential security threats include:
- cyber crime
- personal data breaches
- viral attack
How can ISO 27001 certification help my organisation to manage these threats?
“…keeping the UK safe from cyber-attacks is now as important as fighting terrorism.”
A water-tight information security management system is vital for the survival of any organisation. Gaining ISO 27001 certification involves putting in place the technical and operational requirements necessary to manage and protect all your valuable data from security threats. An ISO 27001 certified ISMS provides an effective framework for identifying risks and threats as well as establishing appropriate controls for eliminating or minimising these threats.
Every information security management system must effectively control who has access to information at any given time. ISO 27001 provides a framework to make sure authorised users can get access to information whilst at the same time preventing unauthorised users from accessing data. If a data breach was to occur, this framework would enhance your organisation’s recovery operations.
By implementing ISO 27001 you are sending a clear message to everybody in your organisation that information security is your top priority. Increasing awareness in this way helps to set a security mind-set throughout your company, reducing the likelihood of employee related breaches.
What are the other benefits of ISO 27001 certification?
Protect your reputation
In a BBC news report dated 9th October, 2017 the head of the intelligence monitoring service GCHQ said: ‘…keeping the UK safe from cyber-attacks is now as important as fighting terrorism’. There’s no doubt that cyber-attacks are becoming more frequent and stronger by the day, causing financial and reputational damage to organisations everywhere. Therefore it’s more important than ever to meet ISO 27001 standards.
ISO 27001 builds trust. Your clients, employees and stakeholders have the right to expect that their private information is protected. ISO 27001 standards are a blue-print for the policies and procedures that help to set everybody’s minds at rest. Not only will you keep your existing clients happy but you could also have a business advantage over competitors who are not ISO 27001 accredited.
Under the GDPR, which comes into force in May, fines for data breaches can be up to 20 million euros or 4% of annual turnover – whichever is higher. ISO 27001 is the accepted global standard for information security management systems ensuring that you are compliant with the new regulation, avoiding costly financial penalties. The standard selects the right and proportionate security controls for your ISMS so that you meet all legal requirements including GDPR, the NIS Directive and UK cyber security laws.
When a business grows very quickly in a short space of time there can be confusion about who is responsible for which information assets. ISO 27001 helps businesses to organise this aspect by clearly setting out all the information risk responsibilities.
ISO 27001 certification is accepted proof of effective security. Therefore, the standard saves you time and money by reducing the number of external customer audit days that you need.
As part of your ISO 27001 certification, an external auditor will undertake regular reviews of your ISMS to ensure that there is continual improvement and that everything is working correctly. Therefore you will always feel confident that your ISMS provides the security necessary to protect your organisation’s data.
Is ISO 27001 appropriate for my type of business?
“The standard is especially suitable for organisations that process large quantities of personal or sensitive data…”
Yes. ISO 27001 certification is suitable for organisations of every size, across every sector. The standard is especially suitable for organisations that process large quantities of personal or sensitive data such as public and IT sectors, health bodies, and financial and banking organisations. It’s also the recognised standard for organisations that manage high volumes of data or manage information on behalf of other companies.
Can ISO 27001 be integrated with other management systems?
“Integrating your management systems brings substantial business benefits…”
ISO 27001 can be fully integrated with other ISO management systems, such as ISO 9001 quality management system, OHSAS 18001/ISO 45001 and ISO 14001 environmental management system. Integrating your management systems brings substantial business benefits, such as:
- increased organisational efficiency and effectiveness
- reduced costs
- reduced disruption due to fewer external audits
- demonstrates your commitment to performance, employee and customer satisfaction, and continuous improvement.
What are the steps to ISO 27001 certification?
ISO 27001 involves the following steps:
- A gap analysis to find out how your existing information security management system compares to the ISO 27001 standard.
- A formal assessment. Your external auditor will review which controls and procedures have been established following the gap analysis, pointing out any further gaps that need addressing.
- Your auditor will assess the implementation of the procedures and controls that you’ve established to make sure they work effectively enough to meet ISO 27001 certification standards.
- You receive an ISO 27001 certificate which is valid for three years. Your auditor visits regularly to ensure that you remain compliant with legislation and that your information security management system continually improves, adding value to your business.
How can NDC help you to achieve ISO 27001 certification?
NDC Global Auditors’ team of qualified lead assessors have extensive experience in auditing to ISO standards in a number of industry sectors and their supply chains. Our ISO 27001 lead assessors can support your company at every step of the implementation process and provide follow-up consultancy support to facilitate continual improvement.
Our services include:
Consultancy and training
- gap analysis and action-planning
- Switch on/switch off consultancy support throughout the implementation process
- training for every step of the certification process:
- developing effective policies, audit checklists and protocols
- third-party assessment
- follow-up consultancy support to facilitate continual improvement.
- Support to integrate ISO 27001 with other ISO standards such as ISO 9001, OHSAS 18001/ISO 45001 and ISO 14001.
Technology to support ISO 27001
Our partners at Soitron UK can also support you to build the IT infrastructure to facilitate ISO 27001 and GDPR compliance. Their technical experts can test your existing system for weaknesses and support you to develop IT and cyber security systems that are robust and compliant.
Contact us to discuss how we can support your organisation to implement ISO 27001.