Adoption of this standard, which is validated by external auditors and follows a best practice approach to information security, is a solution many organisations turn to ensure that they have met their obligations to comply with various regulatory requirements such as UK Data Protection Laws, GDPR and the Computer Misuse Act 1990.
What is ISO 27001:2013?
The ISO 27001:2013 standard demonstrates that organisations have developed and maintained an Information Security Management System (ISMS). This is a process that requires involvement by senior management/board level down, and filters through the whole organisation. It includes people, processes and IT systems and applies a risk management approach. It can help organisations of all sizes, in any sector, to keep their information assets more secure. It is also ensures that organisations constantly revisit their ISMS as their business evolves and changes.
Why will ISO 27001 certification benefit my business?
- Business owners will be able to demonstrate that they comply with current international best practice in regard to securing information assets and managing the risk around them.
- ISO 27001 involves developing and maintaining an information security management system, risks are being constantly reviewed and controls used to mitigate these, therefore it ideal for demonstrating that technical and organisational controls are in place to maintain GDPR compliance.
- ISO 27001 certification demonstrates that an organisation has taken practical steps to meet their regulatory obligations.
- By implementing an information security management system (ISMS) the organisation can systematically protect itself from the potential costs and damage from computer misuse, cybercrime, loss of information assets
- The organisation will have increased credibility both internally with staff and externally with customers and business partners. This may drive people to choose this organisation above others and lead to improved sales.
- The organisation will have clearly identified which information assets it has and their value. It will be able to make informed decisions about the risk around them, how to best secure them. This will ensure effective spend on IT security, ensuring the costs is proportional to the risk and benefit.
How is ISO 27001 certification achieved?
ISO 27001:2013 starts with identifying the scope and context of the organisation. It requires commitment from senior management to ensure that implementation is successful and is fully embedded with an organisation as business as usual.
It is necessary to identify the information assets and the risks to these around confidentiality, integrity and availability. The process then is to apply risk treatment through a series of technical and organisational controls to mitigate these risks to an acceptable level. This is effectively the planning stage, and will be followed by an implementation stage when these controls are put in place. Training is then required so that everyone knows their role and how they help to ensure that the implementation is successful.
It will then be necessary to carry out internal audits to check that these controls are effective and feed the results of this back into the process to ensure continual improvement.
Once ready then a stage one external audit will be carried out by the accreditation body, with recommendations for improvement, and the final process will be the stage two audit.
The structure of ISO 27001 and the constant review and management of the risks to information assets means that the process can easily incorporate and demonstrate ongoing GDPR compliance
How can Securious help?
We can guide you through the stages needed to implement ISO 27001:2013. We would stress that this process is something that is created by you and your staff with the commitment of your management team.
We generally find that an initial workshop with you and/or your project group is the best way to get you started, and then our input, as data and IT security specialists and ISO 27001 Lead Implementers, as you need it. When you are ready to undergo certification we can help arrange this directly.
We are based in Exeter, Devon and are ideally located to help businesses from Plymouth, Exeter, Taunton and Bristol and the surrounding areas. We find that much of our work takes us countrywide as many businesses prefer our open and honest approach, and our ability to provide a results based, timely solution at a fair price.
Ready to get started with ISO 27001 or have questions? Let us know now...
ISO 27001 FAQs
Would it be easier to get a consultant to achieve ISO 27001 for me?
Yes, of course, and this would possibly be a costly process, and may not result in the full engagement of your team. They may not feel they have ownership of the process and this is a very important factor in making this successful and worthwhile. Securious will work with you and your team to work through the various stages and provide support where needed.
Is ISO 27001:2013 a one off exercise?
It is important to understand that to maintain your certification you will need to continue monitoring and reviewing your ISMS on an on-going basis.
How much will it cost?
There is no simple answer to this as there are so many variations and each business is different. However a one day workshop will identify where you are and what steps you need to take to achieve certification. From here it will be possible to identify the costs involved. Call us to discuss how we can help.
Why should I choose Securious to help me?
Securious are passionate about helping businesses protect themselves from cyber security threats. We are a founder member of the South West Cyber Security Cluster which aims to help local businesses and communities understand the cyber threats and protect themselves. We pride ourselves on being approachable, professional and results driven. We will not try and sell you “days” but will find out what you need, plan with you how to achieve your requirements and then identify what costs this will involve.