ISO 27001 is a specification for the management of Information Security. It is applicable to all sectors of industry and commerce and not confined to information held on computers. It addresses the security of information in whatever form it is held. The information may be printed or written on paper, stored electronically, transmitted by post or email. Shown on films, or spoken in conversation. Whatever form the information takes or means, by which it is shared or stored, ISO 27001 helps an organization ensure it is always appropriately protected.
Information security can be characterized as the preservation of:
Confidentiality - ensuring that access to information is appropriately authorized. Integrity - safeguarding the accuracy and completeness of information and processing methods. Availability - ensuring that authorized users have access to information when they need it.
ISO 27001 contains a number of control objectives and controls.
Security Policy, Organisational Security, Asset classification and control, Personnel Security, Physical and environmental security, Communications and operations management, Access control, System development and maintenance, Business continuity management, Compliance.
WHY IS INFORMATION SECURITY NEEDED?
Information is now globally accepted as being a vital asset for most organizations and business. As such, the confidentiality, integrity and availability of vital corporate and customer information may be essential to maintain competitive edge, cash flow, profitability legal compliance and commercial image. ISO 27001 is intended to assist with this task. It is easy to imagine the consequences for an organization if its information was lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. In many cases it can (and has led to the collapse of companies.
HOW DO YOU START TO IMPLEMENT ISO 27001? WHAT IS INVOLVED?
Developing an Information Security Management System (ISMS) that satisfies the requirement of ISO 27001 involves three steps:
- Creation of a management framework for information. This sets the direction, aims, and objectives of information security and defines a policy which has management commitment.
- Identification & assessment of security risks. Security requirements are identified by a methodical assessment of security risks. The results of the assessment will help guide and determine the appropriate management action and priorities for managing information security risks.
- Selection and implementation of controls. Once security requirement have been identified, controls should be selected and implemented. The controls need to ensure that risks are reduced and acceptable level and meet organization’s specific security objectives. Controls can be in the form of policies, practices, procedures, organizational structures and software functions. They will vary from organization to organization. Expenditure on controls needs to be balanced against the business harm likely to result from security failures
Adopting ISO 27001 cannot make you organization immune from security breaches. But it will make them less likely and reduce and consequential cost and disruption if they to occur.
BEING AUDITED TO ISO 27001
Once all the requirement of ISO 27001 have been met, you can apply for and external audit. This should be carried out by a third party, accredited certification body. The chosen certification body will firstly review relevant documentation. This should include the declared policy, scope of the ISMS, documents covering the risk assessment, risk treatment plan, Statement of Applicability and documented security procedures, The auditors will also be checking that you have identified and implemented and controls that are appropriate to you size and type of business. This process is normally carried out at your premises, being more beneficial to both parties. This is followed at a later date by a full on-site audit to ensure that working practices observe these procedures and stated objectives, and that appropriate records are kept. After a successful audit, a certificate of registration to ISO 27001 will be issued. There will then be surveillance visits (usually once or twice a year) to ensure that the system continues to work.
WHAT ARE THE BENEFITS OF CERTIFICATION TO ISO 27001?
Obtaining a certificate from a third party demonstrates that you have addressed, implemented and controlled the security of your information.
But the benefits don’t stop there. Certification also:
Comforts customers, employees, trading partners and stakeholders – in the knowledge that your management information and systems are secure. Demonstrates credibility and trust Can lead to cost savings. Even a single information security breach can involve significant costs. Established that relevant laws and regulations are being met. Ensures that a commitment to Information Security exists at all levels throughout and organization.
WHY CHOOSE ISOQAR FOR YOUR CERTIFICATION AUDIT?
ISOQAR has an enviable record for customer satisfaction for its certification services. A friendly, practical and straightforward approach has led to continual steady growth through referrals from contented clients and management consultants. ISOQAR only employs auditors that have empathy with this approach. They are also carefully allocated by their experience in the industry they are auditing. This results in a practical, meaningful audit, carried out in an air of mutual understanding. ISOQAR firmly believes that its audits should “add value” and benefit the organization being audited.
WHAT IS THE COST OF ISO 27001 CERTIFICATION?
A guidance price may be provided upon request. However, the controls each organization needs to put in place to ensure the security of its information vary widely. Consequently we ask companies seeking registration to complete a short questionnaire about its activities and selected security controls. This information enables us to ascertain how long the audit will take and provide an accurate written quotation (without any obligation). ISOQAR’s fees are amongst the lowest you will find for such certification services.
WHERE TO OBTAIN FURTHER INFORMATION OR HELP?
The actual standard can be purchased from The Stationery Office (www.tso.co.uk). Search for 27001 under products and you will also find other useful tools to help with its implementation. There are products for the Code of Practice, preparing for ISO 27001 certification, guidance for risk assessment and gap analysis tools for checking your processes and controls For more information on ISO 27001, using the Internet for research is by far the best approach. There is a wealth of information at www.c-cure.org., www.xisec.com,www.gammassl.co.uk, www.dti.gov.uk/cii/datasecurity and www.securityrisk.co.uk. None of these web sites are recommended, vetted, approved by, or connected with ISOQAR. They are merely listed to help you find out more about ISO 27001.
The Audit Procedure ISO 27001
ISOQAR's assessors are selected to meet the requirements of your particular sector. Your company's activity, location of premises, size and complexity are all taken into account. On receipt of your application form, we will contact you to agree dates for the following:
A Document Review
The document review aims to establish that your information security management system documentation meets the requirements of the standard. We compile a detailed report and a planned audit schedule. These are discussed with you and provided for your information. If deemed necessary by ISOQAR or requested by the company, this can take place at your premises. This enables you to establish a rapport with your auditor and may help the incidence of non-compliances at the next stage.
A detailed, on-site audit of your company's implemented, documented system against the company's working practices and the appropriate ISO 27001 quality standard.
Findings of the audit are documented. If there are any areas of concern to the assessors, the following may be raised: Major non-compliances - which must be rectified before certification can be recommended by the Lead Assessor. Minor non-compliances - which do not affect the recommendation for approval but must be addressed prior to the issue of your certificate. At the close of the audit, the Lead Assessor will leave his recommendation with you.
ISOQAR's certification is valid for a three-year period and monitored by a Registered Assessor at regular intervals. All visits to your company are by appointment, thereby ensuring availability of relevant personnel. At the end of three years your organisation will need to be re-assessed. Fees for this will be kept to a minimum and discussed with you in advance. Please note: All audits are performed on the basis of limited sampling. If discrepancies are not discovered, there is no guarantee that they do not exist.
EXTENSION TO SCOPE OF CERTIFICATE
Amendments or extensions to the initial certified scope are possible. For example, to include additional offices or new areas of business. Audit for this 'extension' can often be carried out causing minimum disruption to your organisation. A common practice is to allocate some extra time during a routine surveillance visit.
Following certification your company can display the ISOQAR shield of approval.
RULES FOR APPEAL
In the event of an audit which results in a recommendation to defer registration to the relevant standard (or at a later stage if notified that a certificate is to be withdrawn), a written appeal may be sent to the Chief Executive of ISOQAR. All appeals will be heard by an Appeals Panel selected from the Governing Board. Your company has a right to object to any member forming part of the chosen panel. The Governing Board will then select a different panel. If the appeal is upheld, the findings of the auditor will be overruled. If the auditor is found to be correct, your company will be required to pay for a partial or full re-audit and the cost of the appeal. Such appeals are exceptionally rare.