ISO/IEC 27001 is a standard set out by the International Standards Organisation that helps your organisation to manage the security of your information assets. This can be electronic/paper, reputational, applications, infrastructure, third parties, and more.
Additionally, the certification helps organisations formulate an information security management system (ISMS). This helps to mitigate the growing number of information and cyber attacks.
ISO/IEC 27001 Requirements
ISO/IEC 27001 requires an organisation to:
- Define the scope of certification and examine the information security risks.
- Design and implement a set of information security controls to mitigate these risks based on ISO 27002 (code of practice based on 14 guiding principles & up to 114 controls).
- Adopt an information security forum (senior management process) to ensure that the information security risks and controls continue to meet the organisation’s information security needs on an ongoing basis.
- Ensure that the ISMS framework has pragmatic policies and procedures undertaken consistently.
IT Governance suggests that:
The two most important activities when implementing ISO 27001 are:
Scoping your ISMS (clause 4.3), in which you define what information needs to be protected; and
Conducting a risk assessment and defining a risk treatment methodology (clause 6.12), in which you identify the threats to your information.
ISO/IEC 27001 Deployment
The organisation can deploy ISO27001 to ensure the controls selected are appropriate to the risks and proportionate to organisational needs. Therefore, a growing number of SMEs are choosing to go through the certification process. This demonstrates to r trading partners that they take information and cyber security seriously and can prove that they are trustworthy because of the objective and rigour of the external certification.
ISO/IEC 27001 Process
The process can best be seen over several phases:
- A Current State Analysis of the policies & processes in place against the standard’s requirements to establish the gaps emerging that need to be addressed.
- Draw up a complete asset inventory of information related assets that can be risk assessed to understand the threats and vulnerabilities that need to be protected.
- Based on the gaps identified in the current state analysis, a security improvement needs to be established to guide the organisation towards building an effective ISMS.
- Undertake tailored training and awareness. Programme to guide senior managers and staff on what the standard demands to create an appropriate information and cyber security culture. This phase also needs to establish an internal audit certification process to ensure that internal assurance on the maintenance of the policies and procedures is maintained on an ongoing basis.
- Finally, a mock certification process needs to ensure the organisation is ready to face external certification.
Benefits of ISO 27001
IT Governance suggests that:
At the heart of an ISO 27001-compliant ISMS are business-driven risk assessments, which means you will be able to identify and treat security threats according to your organisation’s risk appetite and tolerance.
- Reduces the risk of financial and reputational damage.
- Support any bids and tenders with ISO 27001 requirements and provide us with a marketable offering.
- Improves the protection for the organisation, your suppliers, and the public.
- Supports your legal, regulatory and contractual obligations, e.g. GDPR (General Data Protection Regulation).
- Helps to manage risk and reduces possible information security incidents.
- It improves information security with better-defined roles and responsibilities and better governance in supplier management and selection areas.
- Improves the consistency in the delivery of IT services.
The code of practice (ISO/IEC 27002) on which the certification process is utilised to establish the required controls is currently being revised.
The revised control set will be published in early 2022. The revised ISO/IEC 27002 will be simpler to understand (only four guiding principles) and fewer controls to select from (93 instead of 114 controls). Therefore, it will be more attractive and less daunting for smaller organisations.
How can Sapphire help?
Sapphire has been assisting clients to achieve ISO/IEC 27001 certification for over 15 years. We have gained an enviable record of successful certificates across a wide range of organisations. Therefore, we can speed up the certification process with proven experts.
We can also design ‘generic’ policy templates to uplift your current arrangements. We can assist new clients in gaining certification through a clear phased approach. This will take the strain off your resources & enable straightforward ‘tailoring’ to your environment.
Get in touch with us for more information below!