What is ISO 27001?
ISO 27001 is the international standard that sets out the requirements for a complete information security management system, ensuring that the information held by an organisation is lawfully and properly stored, processed and controlled through appropriate security measures and compliance with legal requirements. ISO 27001 can be used to benefit any organisation, of whatever type or size, in any sector.
Certification to ISO 27001 can be achieved by designing and implementing a documented information security management system (ISMS), to the requirements of the standard and the organisation’s needs, incorporating a range of processes. Once established, the new system can be audited by an independent assessor, leading to formal certification to ISO 27001.
The Benefits of Achieving Certification to ISO 27001
ISO 27001 is an essential tool for all organisations with responsibility for receiving, managing and controlling information. Setting up an ISMS and achieving certification to the requirements of the standard can produce a range of benefits, including:
- Reducing the risk of damaging and costly security lapses.
- Improving efficiency by establishing a recognised management system, using lawful processes, tailored to the organisation’s needs, that are clearly defined and understood.
- Ensuring compliance with legal, regulatory, professional and best practice requirements.
- Ensuring that the rights, interests and confidentiality of the organisation, its employees, customers, suppliers and other parties are properly safeguarded.
- Offering continuous improvement of information security controls as the needs of the organisation and other demands change.
- Protecting and enhancing the organisation's brand and reputation.
- Offering the organisation a competitive edge by enabling it to bid for more contracts and pass more selection processes, where customers require the contractor to have an ISMS.
- Increasing trust and confidence in the organisation’s integrity, competence and professionalism.
- Enabling the organisation to demonstrate a high level of awareness, responsibility and customer care and commitment.
- Offering good publicity and marketing opportunities.
- Alleviating concerns about risk and security issues, offering peace of mind and enabling the organisation to concentrate on developing the business.
ISO 27001 in More Detail
The standard aims to set out the general requirements for an information security management system. Divided into sections, it addresses topics such as leadership, operation, performance evaluation and improvement.
ISO 27001 also specifies the categories of documentation that must be incorporated within the system, including a security policy, security objectives and processes for risk assessment and treatment.
The changes to the standard allow greater flexibility for organisations to select the specific security measures that they need to suit their own particular requirements.
The standard is aligned with other ISO management standards, incorporating a range of common features. This enables organisations to integrate several management systems, where appropriate, to avoid duplication of effort, reduce cost and increase efficiency. For example, information security can be integrated effectively with ISO 9001 (quality management) and many other standards.
ISO 27001 is supported by a code of practice, ISO 27002, providing instructions on establishing a system under ISO 27001.
Implementing ISO 27001 Under Touchstone Renard’s Programme – Step By Step
An indication of the programme that Touchstone Renard would propose to support an organisation in developing and implementing a management system to the requirements of ISO 27001, would be as follows:
- We would hold a meeting with key people in the organisation to provide an overview of the standard’s requirements for setting up and maintaining an ISMS.
- A discussion would follow about the organisation, its practices and needs and the information held, stored and processed. As part of this, the specific benefits of ISO 27001 certification would be identified in more detail.
- We would carry out a gap analysis to produce a comparison between the organisation’s current information security processes and the requirements of the standard.
- We would examine a wide range of controls, including:
- policies for governance and management;
- protection of IT facilities;
- security measures for employees;
- access rights and controls;
- risk management approach and system;
- management of security lapses;
- procedures for acquiring or developing systems;
- business continuity management;
- compliance with policies and procedures.
- Changes would be identified that could benefit the organisation, with the aim of also reducing cost where possible. These may require the introduction of new procedures or it may be possible to adapt those that already exist.
- The ISMS would be designed with a range of new or amended, documented policies and procedures. We would prepare the necessary documentation and management systems to comply with the requirements of the standard.
- All managers and their teams would be kept informed and trained in the new processes, as appropriate.
- The new ISMS would be set up and allowed to become established as part of the organisation’s daily routine.
- When running successfully, in compliance with the requirements of ISO 27001, an independent assessment would be arranged, leading to certification to the standard.
As mentioned previously, ISO 27001 can be aligned with other management standards. Organisations may therefore consider setting up an integrated management system to accommodate ISO 27001 and other standards. Touchstone Renard will also help with this, if required, and can offer support with most management standards.
Achieving ISO 27001 Certification By A UKAS Accredited Body
The United Kingdom Accreditation Service (UKAS) is recognised by the UK government as the national accreditation body to assess organisations that provide certification to internationally recognised management standards, such as ISO 27001.Accreditation by UKAS is evidence of the competence, impartiality and performance capability of the bodies that are accredited and which carry out the certification process. UKAS is a non-profit-distributing private company.
Following the implementation of a new management system, Touchstone Renard always recommends that formal certification to the standard be carried out by an independent certification body, accredited by UKAS. This enables the final certification process to remain independent from the work carried out by Touchstone Renard in setting up the system, providing transparency, confidence and reassurance that the new procedures are sufficiently robust and that they comply with the requirements of the standard.
Touchstone Renard will support clients in designing and implementing an information security management system to the requirements of ISO 27001 before facilitating clients in selecting a UKAS accredited body (of the client’s choice) to carry out the final assessment and certification of the new system, independently of Touchstone Renard.
Following achievement of certification to ISO 27001 through an independent certification body, an organisation will be entitled to display the UKAS accredited body logo as evidence of its success.
Why choose Touchstone Renard to support ISO 27001?
Touchstone Renard has successfully helped organisations of all types and sizes, across the private and public sectors, to design and set up new or updated management systems since the 1990s, in compliance with a range of recognised standards.
Our friendly and experienced team can help any organisation to implement and maintain a management system to the requirements of ISO 27001. We are able to provide the support needed while enabling our clients to continue with the smooth operation of their organisations, without distraction.
Our services include any or all of the steps needed to help any organisation design, document, install and monitor the policies and procedures that it will need to achieve and maintain a management system under one or more standards. We can also offer awareness training and ‘dry run’ assessments, prior to formal assessment by an independent body.
Under our flexible service, if an organisation already has a management system in place or wishes to do part of the work itself to achieve certification, we can adapt the level of support required. An increased level of help can be offered to clients who would welcome more assistance.
Once certification to ISO 27001 has been achieved, we can offer future support in maintaining the system to meet the requirements of the standard, ensuring that re-certification continues to be obtained.
No assignment is too small or large for us and every client organisation that engages our services receives a free copy of the standard.
Please Contact Us
If you would welcome a discussion about achieving or maintaining certification to ISO 27001 or other management standards, please contact Phil Austin, Managing Director, without any obligation:
- T: +44 (0)203 954 2576.
- M: +44 (0)7768 366744.
- Email: [email protected]