ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for an information security management system (ISMS). Accredited certification to ISO 27001 demonstrates that an organisation is following information security best practices.
The newest version of the Standard is ISO/IEC 27001:2013, which supersedes ISO/IEC 27001:2005.
ISO 27001 – A FRAMEWORK FOR COMPLIANCE
Accredited certification to ISO 27001 demonstrates to existing and potential customers that an organisation has defined and put in place best-practice information security processes. Not only does certification to the Standard show that you are safeguarding your sensitive data, it will help you create a framework for complying with a number of regulations, including:
- The Telecommunications Regulations Act 1998
- The Data Protection Act 1998
- The Computer Misuse Act 1990
- The Human Rights Act 1998
- The Regulation of Investigatory Powers Act 2000
- The Copyright, Designs and Patent Act 1998
- The Freedom of Information Act 2000 (public sector).
IMPLEMENTING ISO 27001
An ISMS is specific to the organisation that implements it, so no two ISO 27001 projects are the same. Getting ready for certification can take anything from three months to a year, depending on numerous factors specific to the organisation.
Although there is no typical ISO 27001 implementation project, most will follow this pattern, or something very similar:
- A gap analysis, which determines how far short of the Standard’s requirements your current processes fall.
- A risk assessment, which identifies risks and/or assets relevant to information security and conducts a risk estimation and evaluation of those risks.
- The identification and selection of appropriate controls in order to develop an appropriate risk response plan.
- Preparation of a risk treatment plan and a Statement of Applicability.
- Development of management system documentation, including relevant policies and procedures.
- Performance evaluation and preparation for an internal audit, which determines the extent to which your new procedures are successful.
- Development of relevant documented processes and related procedures for non-conformity, corrective action and continual improvement.
- Preparation for the certification audit.
- Surveillance, continual improvement and maintenance of your ISMS.
WHAT IS AN INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)?
An ISMS is “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives” (ISO/IEC 27000:2016).
It encompasses people, processes and technology, recognising that information security is not just about antivirus software, implementing the latest firewall or locking down your laptops or web servers. Technology alone is simply too weak to defend against the evolving nature of information security threats.
The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.
An ISO 27001-aligned ISMS helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.
ISO 27001 & THE CYBER ESSENTIALS SCHEME
The Cyber Essentials scheme is a key deliverable of the UK government’s National Cyber Security Strategy, and was released on 7 April 2014. It aims to provide reassurances about cyber risk management to UK-based organisations, clients and partners, and to ensure that risk management practices have been independently tested and verified, where relevant.
The scheme provides a set of controls based on ISO 27001 that organisations can implement to achieve a basic level of cyber security.
Organisations can attain certification to two levels: Cyber Essentials and Cyber Essentials Plus. Certified compliance with the scheme will be required in certain government procurement contracts.
CONTACT ACUMEN CONCEPT SERVICES
If you require any further information on implementing ISO 27001 please feel free to contact Acumen Concept Services today.