Taking information security seriously?
It hasn't been that long since business security consisted of locks, keys and someone monitoring visitors. However, in recent years electronic data has become the key vulnerability to businesses. Now, a password is all it takes to gain access to a wealth of important, confidential and expensive information. See what you can do to reduce risk in the article below.
Data security has been brought to the attention of the masses thanks to the recent 'lulzsec' hacking group targeting large companies such as Sony, MasterCard and PayPal. In the UK, details from the Census was hacked, whilst Travelodge's website was attacked, resulting in customer emails being stolen. The thought for many business owners must be, if my security functions can successfully be breached, how difficult would it be to steal my company's information? More importantly, customers want assurance that their personal details are secure.
Demonstrating Information Security
Its easy to say that your data is secure, but harder to prove it. Most organisations have a range of information security policies, but they can be disorganised or out of date where they have been created reactively, i.e. after a situation had already occurred. The solution is ISO 27001, an internationally recognised Information Security Standard which thousands of organisations of all sizes have implemented globally. The standard applies to organisations who wish to assess their information security risks and implement ways of addressing them. It provides an organisation with assurance, knowing that their processes and controls are secure. It also helps to develop and enhance best practice.
Holding certification to ISO 27001 certainly helps to prove information security credentials. Its implementation can also help win particular public and private sector contracts, where proof of information security is judged essential.
The ISO 27001 standard requires that you systematically examine any risks to the organisation's information security and puts in place comprehensive policies to manage those risks of which it has control over. The intention is that an organisation should design, implement, maintain and continually improve a set of controls and measures to manage any threats to its information assets.
The idea behind ISO 27001 is that you become a proactive business, not a reactive one. Planning ahead means you aren't at risk of any threats that could prove, at best, embarrassing, or at worst, put your business at great risk.
By achieving ISO 27001 certification through a Certification Body, you have proven that an independent third party has verified that you meet all requirements of the information security standard. Not only is this a powerful message when tendering for new business, it helps provide greater assurance to current clients too.
The Certification Process
Becoming certified to ISO 27001 is essentially a three-stage process. It shares similar characteristics with other popular ISO management standards, such as ISO 9001.
The first stage is an informal look at what existing processes and policies you already have in place. An auditor will be able to identify any 'gaps' so you can then correct them for the next stage, the formal audit for certification.
The stage two audit is where your auditor will seek evidence to confirm that the management system has been properly designed and implemented. If you have done so, you can then be recommended for certification.
Once you have achieved certification, it is a case of having review audits to ensure your organisation is continuing to meet the requirements of ISO 27001. Normally held annually, they can be more frequent if you feel it would be more beneficial.
Find out more about us
Next entry: Who is ISO 9001 for?
Previous entry: Routes to certification