BS ISO/IEC 27001
Information Security Management
ISO Consultant Colin says…
“ You don’t have to look far in the media to come across instances of data becoming compromised. Most of these events are due to negligence by the actions of system administrators, it is much less common for systems to fall prey to weak coding, as holes in the defense are usually picked up early and diligent system admin can implement patches quickly. ”
This standard, BS ISO/IEC 27001, concerns itself with business IT risk, requiring those implementing it to document their information assets, assess the risks to them, and implement controls and risk reduction techniques where appropriate. Asset gathering and risk assessment can be tedious by nature, but usually (and helpfully) also leads to the discovery of unknown weaknesses. Many larger organisations have opted for using reasonably expensive software for the asset management and risk assessment but a well constructed spreadsheet can be made to work at much reduced costs.
What is it all about ?
ISO 27001 is relatively new in the world of ISO Standards, but is actually 10 years old. It can trace its roots back to BS 7799, which was published in the late 1990’s. As cyber- security becomes more of a business and government issue, organisations are reviewing how they, and their suppliers, manage business-critical information which is electronically available, and potentially “hackable”
This standard gives some basic components for an Information Security Management System, which, when properly implemented, can help to safeguard your critical information from unwelcome and disruptive outsiders.
Securing sensitive info (data)
Data security should be at the forefront of business concerns, almost all businesses rely on information systems to operate, this is a standard that helps you review and refine the way you keep your information secure.
Law firms are particularly interested in this standard, storing litigation data securely requires the highest industry standards.
Protection of company, assets and directors
How important and sensitive is your data to competitors, cyber espionage is very much on the increase, the leaking of client or developmental data can be costly.
Why would my business want approval against this standard ?
This standard is now regularly addressed in tenders, particularly where the handling of critical information includes significant electronic communication, such by email, local or wide area networks or by internet.
Certification against ISO 27001 can bring significant market advantage, illustrating that not only do you take the security of your information seriously, but also that you’ve asked a third party specialist to verify that the measures taken are fully effective.
The application of the controls required by ISO 27001 should not only raise confidence in your security processes, but will also assure potential customers who may consider trusting you with some of their valuable and/or commercially-sensitive
How long would it take to become approved ?
That depends on the activities of your organisation, and the security measures you have already taken.
However, we can typically produce an Information Security Management System designed around your business, audit its implementation to ISO 27001 and get it through a UKAS-approved certification in around 10-12 working days. We have found that implementation is usually most successful when completed over a 2-6 month period, depending on the security structures already in place.
What must I need to do ?
Simply identify the areas of the organisation where significant risk to the security of information exists. Then develop and implement appropriate controls to reduce the risk.
Annex A of ISO 27001 offers a number of measures to control information security. The suitability of these controls for your business needs to be determined. Hence, where risk is significant, controls need to be developed.
The effectiveness of the controls must then be assessed through internal audits, and by assessing security performance against measurable objectives. A process for reporting security breaches (and potential breaches) also needs to be set up.
What is this likely to cost ?
Our fees are based on a day rate. The number of days are based on the activities of your business, but for ISO 27001, are typically 10-12 days for a small business. Certification by a UKAS ( i.e. UK Government approved body) typically costs £ 5-6000 for a three year certificate.
For more details and assistance in gaining the necessary certifications contact ISO Consultants.
We currently offer the following routes in pursuing this set of ISO Standards
At this time we have two options available for clients pursuing this set of standards and the implementation of controls. The final option will be available towards the end of this year.
Springtime Combined Offer
GDPR & ISO 27001
Take advantage of this once in a lifetime deal.