 |
Author: Emily Martins Cybersecurity Consultant |
What is ISO27001?
ISO/IEC 27001:2013, more commonly referred to as simply ISO27001 or ISO27k, is the international standard for information security. Together with the accompanying guidance of ISO/IEC 27002:2013 it is designed for organisations of all sizes to establish, implement, maintain, and continually improve an Information Security Management System (ISMS) suitable to secure their Information Assets.
Why ISO27001?
Peace of mind
Your customers expect you to keep their data secure, but what about yours? Implementation of ISO27001 means that every piece of important data you hold is considered, and therefore secured.
Reduce Information Security Risk
The Confidentiality, Integrity and Availability of Information and Information processing facilities are key in ISO27001. Implementation and monitoring of controls can help reduce downtime to your customers whilst maintaining accuracy and confidentiality of the data.
Satisfy your stakeholders
Understanding the requirements of your interested parties is a crucial component within ISO27001, meaning that your controls are tailored to the stakeholders that you need to satisfy the most, be this your customers, your CEO or even regulatory bodies.
How do I get ISO27001?
Firstly, get Top Management ‘buy in’
While it might seem obvious, in order to implement an effective ISMS there needs to be direction from the top down. This is important for a number of reasons, including;
- Resource and Support – ensuring that your ISMS has sufficient staff, controls and budget to run effectively.
- Change management – knowing what changes are happening within your business, allowing for changes within the ISMS to be considered and ensuring that there are no unexpected surprises.
- Accountability – Top Management is ultimately accountable for the ISMS, and any ISO27001 Auditor will need to know that they are on board.
Determine the Scope of your ISO27001 accreditation
A smaller scope isn’t always easier. When leaving some parts of your organisation out of the scope, it means they have to be treated as an “outside world”. That means you have to limit their access to the information within the scope, potentially creating more problems when it comes to implementation.
Additionally, if you become certified, a Change To Approval (CTA) will be needed for each scope expansion, meaning more money and more time. This is why it is crucial to seek professional advice for undertaking your ISO27001 accreditation – to be able to fully evaluate your business requirements.
Perform risk assessments, implement controls and audit your ISMS
Once you’ve defined your scope you will then need to ensure that your business has considered the risks to your information, applied the appropriate controls and validated that these are working effectively and in line with the requirements of the standard through internal audit. Once you are confident that your ISMS is working you can then consider your next steps towards certification.
Compliance vs Certification?
Determine exactly then what your business is aiming for – Compliance vs Certification.
Compliance can be defined as the point where an assessment, usually an internal audit, proves that the processes and controls determined by the ISMS are working satisfactorily, whereas certification requires an independent audit from an external body – this is where companies like JT come in.
When looking to certify selecting the right auditor is crucial, we advise that you select an auditor who is accredited by UKAS, the UK's recognised accreditation body.