ISO 27001 - Information Security Management System Certification

 

What is ISO 27001?

ISO/IEC 27001 best-known standard for information security management systems (ISMS). This detailed standard provides guidance for establishing, implementing, maintaining and continually improving an information security management system.

The 27001 standard also helps organizations become risk-aware, identify and address weaknesses and promotes a holistic approach to information security: vetting people, policies and technology. All whilst ensuring that the system respects all the best practices and principles enshrined in this International Standard.

Once certified, organisations can proudly promote themselves as certificate holders in any of their promotional materials and can include the URS certification logo free of charge.

 

Who requires an ISO 27001 certification?

Any organisation that demonstrates robust data security practices and handles sensitive data should consider an ISO 27001 certification. Relevant sectors include:  

 

• Healthcare


• Finance


• Consulting


• Telecommunications

How can ISO 27001 benefit your business?

Becoming certified for ISO 27001 can bring a wide range of benefits to your organisation, including:

 

• Reducing the risk of cyber attacks


• Complying with regulations


• Building customer confidence


• Protect your organisation and reputation

How can you prepare for an ISO 27001 Certification?

Although the thought of starting the certification process may seem daunting, there are a variety of steps you can take to make the process to becoming certified far more streamlined:

 

• Familiarise yourself with the ISO 27001 standard


• Carry out a risk assessment to highlight potential hazards


• Ensure your policies and procedures provide are clear and easy for your employees to understand


• Conduct an internal audit to acknowledge any areas of your ISMS that do not comply with the standard


• Provide training for employees to ensure your organisation is fully compliant with the standards competency requirements

What are the key requirements for ISO 27001?

When working towards becoming certified for ISO 27001, there are various areas that will be a focus during the audit. These areas include:

 

• Ability to manage risks


• Demonstrating access control


• Contingency planning


• Supplier management

What clauses make up the structure of ISO 27001?

 

Clause 1-3 – Introductory Clauses:

The first three clauses in ISO 27001 serve as an introduction to the standard and outline the scope, normative references and the terms and definitions. This also includes a brief exploration of the standard’s history, approach and compatibility with other standards.

The seven remaining clauses cover the mandatory requirements for the Information Security Management System.

 

Clause 4 – Context of the organisation:

Clause 4 identifies the key stakeholders in the organisation and outlines the required understanding and scope of the information security management system.



Climate Change Amendments:

The amendments have not changed the requirements of clause 4.1 and 4.2, rather they have added an assurance that climate change is considered for the management system. Due to the necessity of climate awareness, it should be considered by organisations and is therefore included as part of the standard.

Rather than a transition being required, organisations should instead consider and apply the guidance provided in the amendment. Should a company minute their considerations during their Management Review regarding CCC as well as evidence of their considerations and any actions, a discrepancy shall NOT be raised. However, should no minute exist for any considerations, then a discrepancy will be raised.

Where a minute and evidence does exist but is clearly of little relevance to CCC an Opportunity for Improvement (OFI) will be raised.

 

Clause 5 - Leadership:

This clause aims to obtain the commitment of Top Management, ensure that role and responsibilities are identified in the organisation and outline the mandatory requirements for an information security policy.

 

Clause 6 - Planning:

The planning clause highlights the importance of assessing potential risks and vulnerabilities within the organisation and its environment. As well as identifying information security objectives.

 

Clause 7 - Support:

Clause 7 defines the resources that are required for implementing, maintaining and developing the Information Security Management System. These resources include competency, awareness, and communication.

 

Clause 8 - Operation:

The operation clause covers the implementation of the security risk treatment and expands on the process required to plan, implement and control the actions that were highlighted earlier in clause 6.

 

Clause 9 – Performance evaluation:

The purpose of clause 9 is to ensure that evaluation methods are utilised to monitor, measure and assess the effectiveness of the control methods. This can be done through internal audits and management reviews, which are covered in detail within this section.

 

Clause 10 - Improvement:

In the final clause, the standard introduces the use of improvement processes such as nonconformities and corrective actions, that can be used to continually improve the effectiveness of the ISMS.

How long will your ISO 27001 certificate be valid for?

Your ISO 27001 certificate will be valid for at least three years; dependent on the type of site that is being certified.  

 

Ready to get started? Apply using the quotation link below.