ISO 27001: Beginners Guide


Thanks to recent news stories, information security has suddenly become a priority for many organisations worldwide.

 

The ISO 27001 information security management standard is a way of ensuring you are managing your risks effectively. Read on for an introduction to the benefits of the standard and certification.



What is ISO 27001?

 

To give it its full title, ISO/IEC 27001 is a standard created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and concerns  Information Security Management.

 

There are seven published standards within the ISO 27000 family, with ISO 27001 being the standard organisations can be certified to. ISO 27001 can be traced back to the British Standard 7799, which was published in 1995. Originally written by the DTI, after several revisions ISO took it on as ISO/IEC 17799.

 

There was a second part to BS 7799 which formed the implementation of an  Information Security Management System (ISMS). This element was what ISO 27001 became in November 2005. In the same year ISO 27001 was published, a third part of BS 7799 was released. This covers risk analysis and management, aligning with the ISO 27001 standard.

 

The basic objective of the ISO 27001 standard is to help establish and maintain an effective ISMS, using a continual improvement approach. The standard requires that you systematically examine any risks to the organisation's information security and puts in place comprehensive policies to manage those risks of which it has control over. The intention is that an organisation should design, implement, maintain and continually improve a set of controls and measures to manage any threats to its information assets.

 

In a survey by ISO, in 2009 there were almost 13,000 ISO 27001 certificates issued in the world, with the UK being the 3rd biggest market for the standard.

 

What are the benefits of choosing ISO 27001?

 

Recent news stories have brought information security into sharp focus for all businesses, worldwide. Hacker groups have shown even the world's biggest companies are vulnerable, so what does that mean for smaller businesses? When more and more data is entrusted to be stored securely, ISO 27001 allows businesses taking care of this essential data to demonstrate they are taking their customer's security threats seriously.

 

The idea behind ISO 27001 is that you become a proactive business, not a reactive one. Planning ahead means you aren't at risk of any threats that could prove at best, embarrassing or at worst, put your business at great risk, be it from legal, reputation or financial repercussions.

 

With ISO 27001 being an internationally recognised standard implemented by thousands, it is a way of avoiding the use of a mass of ineffective policies which are outdated or contradictory. The standard provides an organisation with assurance, knowing that their processes and controls are secure. It also helps to develop and enhance best practice.

 

Improved organisation is a massively underrated benefit of implementing ISO 27001. As businesses grow rapidly, it doesn't take long before there is confusion with who decides what, who is responsible for certain information assets, and who has to authorise access to various systems. As a consequence, the standard can help you become a more productive business.

 

Because it is well recognised, ISO 27001 is particularly credible when tendering  for work. Within the public sector, information security is deemed essential, so following such a well known standard could be the difference between winning and losing that vital contract. In fact, ISO 27001 gives an overall marketing edge against your competitors, particularly as achieving certification to the standard puts you alongside well respected companies such as Microsoft.

 

Of course, it's not all about winning new business, its just as important to be able to retain existing clients. Adding another string to your bow gives another reason for clients to stay with you, in a time where the current economic situation where once loyal clients are looking around to justify cost.

 

It’s also useful to know that ISO 27001 is part of a group of management standards. As well as Information Security Management, there is a standard for Quality Management (ISO 9001), Environmental Management (ISO 14001), and Health and Safety Management (OHSAS 18001). They share many principles, so choosing an integrated management system can save you money as well as provide across-the-board benefits.

 

Of course, the suggested benefits are all very well, but what do people who already have ISO 27001 in place think?  Well, a 2011 survey by the Rotterdam School of Management at Erasmus University showed that 87% of respondents stated that implementing ISO/IEC 27001 had a positive or very positive outcome.

 

 

Choosing a Certification Body

 

By achieving ISO 27001 certification through a Certification Body, you have proven that an independent third party has verified that you meet all requirements of the standard. Not only is this a powerful message when tendering for new business, it helps provide greater assurance to current clients too.

 

The decision to choose a Certification Body should be approached with caution, as there is no mandatory regulation within the industry. Within the UK, the United Kingdom Accreditation Service (UKAS) is the only Government recognised body in the UK for the regulation of certification services. Therefore, for peace of mind, it is worth choosing a certification body that has been accredited by them.


UKAS accredited certification bodies can demonstrate that their people and processes meet required standards and they are regulated to ensure they maintain such standards. They are also required to demonstrate that their certifications are objective and impartial.


How long does ISO 27001 certification take?


Becoming certified to ISO 27001 normally takes between 3-6 months, but this can depend on the size of the organisation and how many sites they have. Undoubtedly, management buy-in is essential for implementation to be hassle-free, but it's also important for there to be a main coordinator to take responsibility for achieving certification. This can seem daunting for the person made responsible, but in most cases the principals of ISO 27001 will soon become integrated within your business, and before you know it, it'll just be the way you do things!


What is involved?


The process starts with what's known as a 'Stage 1 Audit'. This is where your Lead Assessor will review your existing systems and provide you with a gap analysis report which will identify the actions required to meet the standard. This can usually be used as a helpful action plan, so don’t worry if you think you're under prepared. Many organisations find they already have a number of required processes in place, they just need better documentation and communication of what processes are mandatory and who has responsibility for what.


Once the organisation is ready and has filled the gaps highlighted in the Stage 1 report, an Auditor will visit your premises to carry out a second visit; known as the 'Stage 2 Audit'. This will reveal the effectiveness of your information security management system and whether it meets all the requirements of the standard. If you are fully compliant, you will be recommended for certification by the Auditor. The Auditors’ report will then be checked via an approvals process and if no anomalies are identified, ISO 27001 certification is officially awarded.


Ongoing Certification


To maintain your ISO 27001 certification, it is mandatory to have at least one surveillance audit visit per year to ensure you are still meeting requirements. Such surveillance audits sample the ongoing effectiveness of your information security management system and you will receive a written report outlining the results. These can include major or minor non-compliances and observations. Should a major non-compliance be identified, you would be given a set period of time to rectify the situation.

 

Very large organisations will often be required to have more than one surveillance visit per year. In some cases, if a large number of non-compliances are identified at each surveillance audit, your certification body may require you to undertake 6-monthly surveillance audits for an agreed period.


Every third-year a full re-audit is undertaken and this is aimed at identifying key trends of strength and weakness and your certification body would work with you to identify opportunities for improvement. Such third year audits are more extensive that annual surveillance audits and some certification bodies may charge extra to undertake them.

 

It is our philosophy to work with our clients 'without fear or favour'. However, to maintain our objectivity and impartiality we cannot undertake improvements for you but we can and will point you to recognised best practice and answer questions with sensitivity and understanding. Ultimately, we want to help you gain the most from ISO 27001 certification and reap the benefits that a commitment to continuous improvement can offer. 

 

Get a Quote


If you're interested in finding out the costs of achieving ISO 27001 certification, we can provide a fixed price, no-obligation quote. Please get in touch using the Online Quotation Form or call free on 0800 404 7007.

 


The British Assessment Bureau's reputation was established in 1969 and we achieved pre-eminent status in 1997.


As well as providing certification to internationally recognised standards such as ISO 9001 and ISO 14001, we provide bespoke assessment services for people, services and organisations of all sizes.


For more information visit www.british-assessment.co.uk.

Get your Fixed Fee quote for ISO 27001.

Quotation Form

Sign up to receive the latest news straight to your inbox.

Name:

Email: