What is ISO 27001?
ISO 27001 is an international standard for Information Security. Most organisations will have some security controls in place within their business; the antivirus you see on your computer and the usernames and passwords required to login each day are obvious examples.
These controls are commonly implemented to deal with a particular situation or set of circumstances. This often means that security solutions are overly IT focused and do not consider other aspects such as paperwork, disaster recovery and human resources.
ISO 27001 unifies and manages these disjointed and fragmented security controls. In doing so, it creates an Information Security Management System.
The ISO 27001 management system is internationally recognised and the benchmark for information security.
ISO 27001 clearly demonstrates to interested parties (staff, consumers, clients and suppliers) that you have effective measures in place to protect the information you hold thereby enhancing your reputation.
Holding ISO 27001 accreditation is an enabler. It allows organisations to tender for business in regulated sectors such as banking, health and public bodies.
In a post GDPR world, suppliers and organisations need to demonstrate that processing of personal data is undertaken in a secure manner.
The greatest risk an organisation now faces is a breach of its Information Systems, the consequences of which could be significant financial and reputational penalties. Through implementing ISO 27001, organisations can reduce the likelihood of a breach and its impact.
As a result of changes in legislation, clients and customers are increasingly insisting that suppliers are ISO 27001 accredited. By attaining ISO 27001 you can reduce the risk of losing existing or future business by not being able to demonstrate the security of your operations.
elucidates Consultants can offer assistance with:
Gap analysis – We will evaluate your current security controls and procedures and detail what work needs to be completed to prepare for ISO 27001 auditing and certification.
Risk Assessment – A key step to the ISO 27001 standard is to undertake a risk assessment, identifying information assets within your organisation and the risks they face with respect to any loss of confidentiality, integrity or availability. We can help construct a risk management programme that supports this requirement.
Identifying and implementing suitable controls – Once all information assets and risks have been assessed, we can help with the selection and implementation of controls that will reduce those risks.
Statement of applicability – The statement of applicability (SOA) details formally the controls we have selected and why as part of a risk treatment plan. This a key area reviewed by auditors.
Internal auditing – To help prepare and ensure that your management system is ready for external assessment.
Policies and procedures – We can assist with the creation of any required information security policies and procedures. From Incident Management through to clear desk policies our Consultants have the knowledge and experience to help.
Training and advice – We can provide general guidance and advice with respect to the standard. Our consultants recognise that you must live with ISO 27001 once it has been implemented. We believe in knowledge sharing, empowering and enabling our clients.