ISO 27001 is a framework for managing IT security. Whilst it doesn’t sound exciting, ISO 27001, known under its full title as ISO/IEC 27001: 2013, is an information security management system (ISMS) that helps keep consumer data safe in the private and public sector.
ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers.
Background to ISO 27001
Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud.
ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee.
Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems.
There are seven areas that companies need to manage, to achieve ISO 27001 compliance.
- Context of an organisation
ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system.
With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards.
Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies.
Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike.
ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats.
- Operational planning & processes
Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies.
- Evaluation process
Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals.
Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future.
Why get accredited?
Not only is ISO 27001 compliance valuable for large organisation’s and the public sector, but when dealing with third-party suppliers, such as IT companies, these standards mean your customer’s data is safe in their hands. This establishes a higher trust rating between organisations of different sizes since IT infrastructure will carry the same security requirements, making it easier to transfer and store sensitive information.
Accreditation can also help you innovate. We helped Experian Data Quality achieve ISO 27001 so the company could expand its product range. Accreditation is a vital part of product development for its leading international address management software. Learn more here >
ISO 27001 is helping other organisations compete and differentiate in the marketplace. Leading specialist recruitment and human resources service provider, Reed Managed Services, wanted to demonstrate to their clients, employees and temporaries that they take IT data seriously and manage it using international best practice. When they achieved ISO 27001 with our help, they were the only recruitment company to have the accreditation. Read the case study here >
Win more business
Businesses and organisations that want to work with government departments and agencies, increasingly find that ISO 27001 is a standard requirement for doing business. Our customer Mouchel, a consulting and business services group, needed to achieve ISO 27001 in order to pick up government infrastructure projects. Find out how we helped them with rapid certification here >
Typically achieving ISO 27001 takes up to 18 months but we’ve helped organisations get accredited much faster. Experian Data Quality were accredited in a record 3 months.
If you would like to find out more about how we can help you achieve ISO 27001 please get in touch. Book a discovery call below or contact us here >