What is it for?
When running a business, many risks can be associated with the way you gather, process, store and communicate information. If a business does not have control over the security and access of its information, the results can be disastrous. It is this problem the principles laid out in ISO 27001 are designed to deal with.
Businesses certified with ISO 27001 have the systems and processes in place to ensure that they gather, process, store and communicate information in a secure and controlled manner.
Who is it for?
All organisations should have strategies for managing information security and becoming ISO 27001 compliant is an effective way of achieving this. Businesses who need to demonstrate to others that they manage their information well should become ISO 27001 certified.
What are the benefits?
Win and retain more business Prospective customers are very concerned about fraud, theft of personal data, and reputational damage due to security breaches. An organisation that can demonstrate that they take cyber security threats seriously, their physical and logical security is well managed and ensure that information remains confidential at all times, will create a better impression in the minds of others, especially their customers.
Achieving certification puts you alongside the likes of Google, Cisco, Microsoft and Verizon, which can help you maintain a competitive edge particularly when tendering for work. In the public sector and enterprise level companies, information security is essential, so becoming ISO 27001 certified could be the difference between winning and losing tenders. Furthermore it will help retain your existing clients. Good security practice is another reason for clients to stay with you where as a security breach could mean losing existing clients.
Protect and enhance your reputation Implementing and maintaining ISO27001 conformance protects your information assets, helping you to avoid damage to your reputation and brand. When it comes to security breaches, the consequences of non-compliance can be serious.
Improved productivity As a business grows, confusion over who decides what, who is responsible for certain information assets can become a problem. The standard can help you become more productive by clearly defining the roles and responsibilities.
Increase your bottom line Becoming ISO27001 conformant can save your organization a lot of money. Damage to your information technology infrastructure can be extremely costly to repair, prevent you from invoicing or identifying outstanding debtors or even result in significant fines levied, for example, by the ICO or Payment Card Industry. Well managed information security is key to cashflow.
Legal Organisations are subject to an ever increasing legislative burden in relation to information. ISO 27001 compliance ensures that you deal with all legal requirements, so that you don’t have to worry about them.
What do I need to do?
ISO 27001 requires you to formally document the areas of your business that relate to information security. This means that you are keeping records that demonstrate that you are operating according to the requirements of the standard. Your initial Information Security Management System should be built by carrying out the following:
Firstly, based on the characteristics of the your organisation, its location, assets and technology, the areas that the management system will cover must be defined. The risk assessment approach that will be used must also be defined, including the criteria the will be used for accepting risks.
Also, the roles and responsibilities of management and staff in relation to information security need to be clearly defined and understood. This includes an understanding of the structure of the organisation and how the groups within it interrelate. The appropriate levels of knowledge required by staff must be determined and training provided where necessary.
Identify the risks
Identify your information security risks, by identifying information ‘assets’ that your business has, and the threats to those assets. The vulnerabilities to those assets must be assessed and the impact of any losses of confidentiality, integrity or availability must be considered.
Following this, you must identify and evaluate options for the treatment of risk, and select controls for the treatment of risks.
The standard provides a list of suggested areas that may be appropriate for an organisation to consider when identifying information security risks:
- Information security policies
- Organisation for information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition development and maintenance
- Supplier relationships
- Information security incident management
- Business continuity management
The standard requires the organisation to identify and record all information assets held, together with their ownership, any identified threats to them, any vulnerabilities that might be exploited by those threats and the impacts that losses of confidentiality, integrity and availability may have on them.
Analyse the risks
Analyse and evaluate all of the risks that have been identified, and work out the options for the treatment of those risks.
Create a policy
Based on the risks identified and the analysis of those risks, create a ‘policy’ document for information security.
Prepare a statement of applicability
The standard lists in excess of one hundred ‘controls’, or ways of managing aspects of information security risk. This is not an exclusive list, and an organisation may wish to add controls of their own. However, as a minimum, an organisation seeking certification to ISO 27001 will need to document how they have implemented all of the controls in the standard, or justify why they have decided not to do so. This document is referred to as a statement of applicability.
The standard is based on the cyclic methodology known as Plan-Do-Check-Act (PDCA). Once the initial ISMS is made, the following cycle begins, and is repeated over time:
Obtain/maintain management support for information security management. Re-establish the ISMS policy, objectives, processes and procedures appropriate to your organisation for the management of risk and improving information security. Communicate your policy to staff. Provide training for your staff where appropriate.
Implement the management system: Operate according to the policy, controls, processes and procedures. Identify who is responsible for achieving the objectives that were set in the planning stage.
Assess and, where possible, measure performance against the policy, objectives and practical experience and report the results to management for review. This will include the following:
Internal ISMS Audits The organisation must periodically audit its ISMS to ensure that the ISMS meets the requirements of the standard, meets the requirements of the organisation, is effectively implemented and maintained and performs as expected.
Management Review Management must formally review the ISMS periodically, and at least annually, to ensure its continuing adequacy and effectiveness. There are a number of items that the standard requires this review to cover, and there are a number of outputs the standard also expects, but the review can cover any other areas that the organisation identifies as relevant.
Take actions based on the results of the checking phase to improve the functioning of the ISMS:
This element places an obligation on the organisation to continually improve the ISMS, and requires specific actions to manage corrective actions.
How do I get certified?
Once the Information Security Management System is in place and has been in operation for long enough for evidence of its effectiveness to have accumulated, it is possible to submit the system for certification. This will involve engaging the services of a third party certification body.
There are a number of certification companies in the UK and worldwide who provide this service. In the UK these assessment bodies are regulated by the United Kingdom Accreditation Service (UKAS).