Use the ISO 27001 standard to ensure the confidentiality, integrity and availability of information and continually improve information security performance
Information Security is a critical issue in organisations today.
The number of cyber attacks and data breaches is on the increase, so you will need to be prepared. 27001 ensures you manage the confidentiality, integrity and availability of your data.
Eliminate and reduce Information Security risks
Improve your Information Security performance now and in the future
Involve your workers in decisions and see positive results
ISO 27001 is the internationally recognised standard for Information Security management (ISMS). The purpose of the Information Security management system is to enable organisations to:
ISO 27001 is written as a generic standard and provides a management framework for an organisation to manage and improve Information Security performance. Critically, ISO 27001 focuses the attention of the organisation on critical controls that are needed to eliminate risks.
Many organisations will manage some areas of Information Security, but the level of governance provided by an ISO 27001 ISMS management system will lead to systemic and organised improvement on Information Security performance over time. As a result, data confidentiality, data integrity and data availability become a key focus from the point of recruitment and induction, to the time they leave the organisation.
Disciplines within Information Security management will overlap with those from other standards.
Procedures and instructions written for quality management can be written in conjunction with quality (ISO 9001) procedures to provide workers with a complete set of instruction or guidance on how to carry out tasks in a secure way.
In addition, ISO 27001 requirements will support an organisation planning for business continuity, in that the aspects of risk arising from significant disruptive events can be prepared for and actions put in place to manage them if they arise.
Information Security management, as all the ISO management systems, has adopted the PDCA cycle as the basis of continual improvement. Organisations don’t have to be perfect in order to have an effective Information Security management system, but the expectation of the ISO standard is that you can demonstrate the journey your organisation is taking. Over time, your capabilities and effectiveness will improve if you critique your Information Security performance in order to improve.
In following the plan-do-check-act process, the management team will begin to improve their planning processes and develop their skills of critical assessment in regard of Information Security management. Part of this improvement will be to crystallise Information Security management objectives at a strategic and an operational level.
The Plan-Do-Check-Act process is a critical element of the management system, and each time the cycle is followed through, the capabilities of the team will get better. Tangible improvement arising will include:
As with all ISO standards, you can sometimes get lost in the jargon. We've listed some frequently asked questions here.
We know that reading about it isn't the same as a good chat. Speak to us to find out what it means to you and your business.
SPEAK TO USEnhance your business even further with the good practices and requirements in ISO 27001.
The Standard builds on common practices found in every good organisation.
Let Spedan take care of the process for you. Our consultants are based across the UK and ready to talk through your project, simply contact us to discuss your requirements.
How do I get ISO 27001
The process of developing an Information Security management system that meets the ISO 27001 standard can take anywhere from 3 to 12 months depending on the level of maturity of the organisation. In some cases, it is simply a case of introducing some new governance processes or developing documentation, whereas in others, an organisation will need to start from scratch.
Getting ISO 27001 is then a process of being certified. UKAS accredited Certification Bodies are the organisations who will carry out a series of audits of the Information Security management system against the ISO Standard. As a result of the audit (if the Information Security system meets the Standard) the Organisation is then awarded an ISO 27001 Certificate.
How long are ISO 27001 audits?
The process of developing an Information Security management system that meets the ISO 27001 standard can take anywhere from 3 to 12 months depending on the level of maturity of the organisation. In some cases, it is simply a case of introducing some new governance processes or developing documentation, whereas in others, an organisation will need to start from scratch.
The first phase of the ISO 27001 audit process is a ‘Stage 1’ Audit, which will look at the readiness of the system, and check against the required documentation.
The benefit of the Stage 1 audit is that the organisation can test out its ideas or identify gaps without risking failing. The audit will result in a report that defines the amount of work needed to be complete before the Stage 2 audit is completed.
Usually, there is a gap between the Stage 1 and Stage 2 audits of 4 weeks to 6 months, which allows the organisation to gather more data and increase its capabilities.
How much does ISO 27001 cost?
Like any product or service that an organisation buys, it is important to shop around Certification Bodies and ensure that you get a level of service you want, at a price that is acceptable.
The UKAS accredited Certification Bodies are subjected to quality standards themselves and UKAS acts as Ombudsmen, which gives you assurance that any issues will be resolved appropriately.
Typically, direct audit costs are charged on a day-rate basis and the number of days will vary according to the size of the business. Companies up to 50 people can expect initial certification costs of approximately £5k, and ongoing costs of up to 2-3k per annum.
Spedan Ltd are Associate Consultants to the major ISO Certification Bodies and can help clarify your costs before you commit to one supplier.
Take a look at our other services.
iSHEQ. A premium toolkit for ISO 9001 Managers,
packed with information and resources.