Print Friendly, PDF & Email

ISO Standards

Information Technology – Information Security Management Systems – Requirements

This standard, BS ISO/IEC 27001, concerns itself with business IT risk, requiring those implementing it to document their information assets, assess the risks to them, and implement controls and risk reduction techniques where appropriate. Asset gathering and risk assessment can be tedious by nature, but usually (and helpfully) also leads to the discovery of unknown weaknesses. Many larger organisations have opted for using reasonably expensive software for the asset management and risk assessment but a well constructed spreadsheet can be made to work at much reduced costs.

What’s it all about ?

ISO 27001 is relatively new in the world of ISO Standards, but is actually 10 years old. It can  trace its roots back to BS 7799, which was published in the late 1990’s. As cyber- security becomes more of a business and government issue, organisations are reviewing how they, and their suppliers, manage business-critical information which is electronically available, and potentially “hackable”

So, ISO 27001 gives some basic components for an Information Security Management System, which, when properly implemented, can help to safeguard your critical information from unwelcome and disruptive outsiders.

Why would my business want approval against this standard ?

This standard is now regularly addressed in tenders, particularly where the handling of critical information includes significant electronic communication, such  by email, local or wide area networks or by internet.

Certification against ISO 27001 can bring significant market advantage, illustrating that not only do you take the security of your information seriously, but also that you’ve asked a third party specialist to verify that the measures taken are fully effective.

The application of the controls required by ISO 27001 should not only raise confidence in your security processes, but will also assure potential customers who may consider trusting you with some of their valuable and/or commercially-sensitive information.

How long would it take us to become approved

That depends on the activities of your organisation, and the security measures you have already taken.

However, we can typically produce an Information Security Management System designed around your business, audit its implementation to ISO 27001 and get it through a UKAS-approved certification in around 10-12 working days. We have found that implementation is usually most successful when completed over a 2-6 month period, depending on the security structures already in place.

What am I likely to need to do ?

Simply identify the areas of the organisation where significant risk to the security of  information exists. Then develop and implement appropriate controls to reduce the risk.

Annex A of ISO 27001 offers a number of measures to control information security. The suitability of these controls for your business needs to be determined. Hence, where risk is significant, controls need to be developed.

The effectiveness of the controls must then be assessed through internal audits, and by assessing security performance against measurable objectives. A process for reporting security breaches (and potential breaches) also needs to be set up.

What is this likely to cost ?

Our fees are based on a day rate. The number of days are based on the activities of your business, but for ISO 27001, are typically 10-12 days for a small business.  Certification by a UKAS ( i.e. UK Government approved body) typically costs £ 5-6000 for a three year certificate.

For more details and assistance in gaining the necessary certifications contact ISO Consultants.

A free PDF download on ISO 27001, summarising this page, is available here.

Contact us now Read more
Free Download ISO Standards PDF Fact Sheet