- ISO/IEC 27001:2013 Certification
- ISO/IEC 27001:2013 is the international standard that specifics the requirements for establishing,
implementing, maintaining and continually improving an information security management system
(ISMS) for any organisation. The standard specifies implementation and management guidelines to
help keep your digital and paper information safe.
ISO/IEC 27001:2013 is the only international auditable standard for information security
management systems and provides independent assurance that an organisation complies with legal,
statutory, regulatory, and contractual requirements bearing sensitive information. Obtaining an
ISO/IEC 27001:2013 certification proves that you have taken necessary steps to protect sensitive
information, both your own as well as customer information, against unauthorized access.
- The Need for Information Security
- Today, Information Technology (IT) is an essential and complex element of almost every
organisation. IT integrates everything from the email you send, to the documents you create, to the
information you keep on clients and suppliers.
With the proliferation of connected devices, it has become easier for individuals to access this
information on a global level. With greater ease of access, however, it also becomes easier for
unauthorized users to obtain your organisations corporate and customer data.
If we consider current events and world news, they all scream with names of IT perpetrators such as
Julian Assange, the whistle-blower who released thousands of private diplomatic cables on his
organisation’s website, “WikiLeaks”. The release of these sensitive documents allegedly
compromised governmental intelligence, placing lives in jeopardy.
In the private sector, we hear of
large corporations such as American Airlines, who just recently had over 350 credit card numbers
stolen from their passengers. The thief? — One of American Airlines’ clerks. Frighteningly enough,
credit card theft on such a level is certainly not an isolated incident.
- What is an Information Security Management System (ISMS)?
- From internal emails to sales materials to financial statements, organisations of all sizes from all
industries deal with large amounts of information each day. To an organisation like yours, this
information is a competitive advantage – it’s how you solve problems, land big clients, and grab your
share of the market. The goal of the ISMS is to protect the information that differentiates your
business, both online and in person.
- Principles of an Information Security Management System
- While the production, implementation and maintenance of an ISMS will vary from organisation to
organisation, there are underlying security principles that must be followed to make an ISMS
effective at protecting an organisation’s information assets. These principles – a few of which are
mentioned below – will build towards a successful ISO/IEC 27001:2013 certification.
The first step in successfully implementing an ISMS is to make stakeholders aware of the need for
information security. Without buy-in from both senior management and the people who will
implement, oversee, or maintain an ISMS, it will be difficult to achieve and maintain the level of
diligence needed to create and maintain a certified ISMS.
In order for an organisation’s ISMS to be effective, it must analyse the security needs of each
information asset and apply appropriate controls to keep those assets safe. Not all information
assets need the same controls, and there is no silver bullet for information security. Information
comes in all shapes and sizes, as do the controls that will keep your information safe.
Implementing an ISMS is not a project with a fixed length. To keep an organisation safe from threats
to your information, an ISMS must continually grow, improve and evolve to meet the rapidly
changing technical landscape. Therefore, continual reassessment of the ISMS is a must. By
frequently testing and assessing an ISMS, an organisation will know whether their information is still
protected or if modifications need to be made.
- Information Security Management is a Process
- Just as organisations adapt to changing business environments, so must Information Security
Management Systems adapt to changing technological advances and new organisational
information. In order to adapt to these changing conditions, ISO/IEC 27001:2013 takes a process
approach to an ISMS by utilizing the Plan-Do-Check-Act methodology.
- Overview of Certification
- An Accredited Registrar may certify your ISMS to ISO/IEC 27001:2013. Such certification provides
your organisation with the credibility needed to do business into today’s information-rich world.
Like many other ISO standards, ISO/IEC 27001 certification involves a three-stage audit process:
- Gap Analysis - (Stage 0)
- The first part of your ISO/IEC 27001:2013 journey is the gap analysis.
This is where your current policy, procedures and processes will be reviewed and a certification
timeline will be created, reviewed and agreed.
- Informal Review of ISMS - (Stage 1)
- In the first stage of your ISO/IEC 27001:2013 audit,
auditors will do an informal review of your ISMS. This review will include actions such as checking for
the existence of key ISMS documents and reviewing the overall ISMS. The goal of this stage is to
familiarize the auditors with your organisation and for you to get to know the auditors.
- Formal Conformance Audit - (Stage 2)
- The second stage of your ISO/IEC 27001:2013 audit is
the formal audit. This is a thorough and detailed review and test of your Information Security
Management System against the ISO/IEC 27001:2013 requirements. During this phase, auditors will
interview key employees to test their understanding of your ISMS. Provided your organisation’s
system complies with the ISO/IEC 27001:2013 standard, this audit will result in your ISMS being
certified to ISO/IEC 27001:2013.
- Follow-up Audits
- The final stage of ISO/IEC 27001:2013 certification is a recurring audit to
ensure that your ISMS is continually being evaluated and improved. A follow up audit – done at least
annually – is meant to confirm that your organisation remains compliant with the standard. These
audits may be done more frequently in the beginning, particularly while you’re ISMS is still maturing.
Deciding to pursue a certified Information Security Management System is a big step for any
organisation, but the potential rewards are great. Armed with a certified ISMS, your organisation will
be able to bid contracts more competitively, attract more customers, and ensure all stakeholders
that the information that keeps your business running is protected.
- For more information about our ISO/IEC 27001 services please Contact Us