ISO business implementation

ISO Implementation – How to get started

ISO Implementation – How to get started

Emily Martins
Cybersecurity Consultant

Organisations increasingly have to be able to demonstrate to suppliers, end-customers and regulators that they can be trusted for information security and privacy management. Channel Islands-based businesses are no exception, and, like many businesses, you may have identified that having ISO27001 demonstrates that your organisation will have identified risks and put in place preventative measures to protect your network and data from cybersecurity breaches.

What is ISO27001?

ISO27001 icon

ISO/IEC 27001:2013, more commonly referred to as simply ISO27001 or ISO27k, is the international standard for information security. Together with the accompanying guidance of ISO/IEC 27002:2013 it is designed for organisations of all sizes to establish, implement, maintain, and continually improve an Information Security Management System (ISMS) suitable to secure their Information Assets.

business ISO implementation

Why ISO27001?

Peace of mind

Your customers expect you to keep their data secure, but what about yours? Implementation of ISO27001 means that every piece of important data you hold is considered, and therefore secured.

Reduce Information Security Risk

The Confidentiality, Integrity and Availability of Information and Information processing facilities are key in ISO27001. Implementation and monitoring of controls can help reduce downtime to your customers whilst maintaining accuracy and confidentiality of the data.

Satisfy your stakeholders

Understanding the requirements of your interested parties is a crucial component within ISO27001, meaning that your controls are tailored to the stakeholders that you need to satisfy the most, be this your customers, your CEO or even regulatory bodies.


businessman thinking about ISO implementation

How do I get ISO27001?

Firstly, get Top Management ‘buy in’

While it might seem obvious, in order to implement an effective ISMS there needs to be direction from the top down. This is important for a number of reasons, including;

  • Resource and Support – ensuring that your ISMS has sufficient staff, controls and budget to run effectively.
  • Change management – knowing what changes are happening within your business, allowing for changes within the ISMS to be considered and ensuring that there are no unexpected surprises.
  • Accountability – Top Management is ultimately accountable for the ISMS, and any ISO27001 Auditor will need to know that they are on board.

Determine the Scope of your ISO27001 accreditation

A smaller scope isn’t always easier. When leaving some parts of your organisation out of the scope, it means they have to be treated as an “outside world”. That means you have to limit their access to the information within the scope, potentially creating more problems when it comes to implementation.

Additionally, if you become certified, a Change To Approval (CTA) will be needed for each scope expansion, meaning more money and more time. This is why it is crucial to seek professional advice for undertaking your ISO27001 accreditation – to be able to fully evaluate your business requirements.

Perform risk assessments, implement controls and audit your ISMS

Once you’ve defined your scope you will then need to ensure that your business has considered the risks to your information, applied the appropriate controls and validated that these are working effectively and in line with the requirements of the standard through internal audit. Once you are confident that your ISMS is working you can then consider your next steps towards certification.


business colleagues discussing ISO implementation

Compliance vs Certification?

Determine exactly then what your business is aiming for – Compliance vs Certification.

Compliance can be defined as the point where an assessment, usually an internal audit, proves that the processes and controls determined by the ISMS are working satisfactorily, whereas certification requires an independent audit from an external body – this is where companies like JT come in.

When looking to certify selecting the right auditor is crucial, we advise that you select an auditor who is accredited by UKAS, the UK's recognised accreditation body.

What’s next? Planning your business case for an information security management system

JT can help to take your organisation on its ISO27001 journey. Our experts are on hand with years of experience in the implementation and auditing of ISO27001 Information Security Management Systems.

We’ll be able to walk you through setting your objectives, select your appropriate controls (Risk Assessment, legal, statutory and regulatory requirements, etc.) through to implementing your IMS system.

And, we’ll work with you to action any risk treatment items identified, embed your policies and procedures, perform audits and continually improve your security.

In addition to improving how regulators, customers and suppliers view your business’s security, ISO27001 certifications will benefit your internal systems, processes and day-to-day operating procedures.

Don’t delay – get in touch with our team today to discuss your journey to ISO27001 certification:

Enquire now >