ISO / IEC 27001


ISO/IEC 27001:2013 Certification
Introduction
ISO/IEC 27001:2013 is the international standard that specifics the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) for any organisation. The standard specifies implementation and management guidelines to help keep your digital and paper information safe.

ISO/IEC 27001:2013 is the only international auditable standard for information security management systems and provides independent assurance that an organisation complies with legal, statutory, regulatory, and contractual requirements bearing sensitive information. Obtaining an ISO/IEC 27001:2013 certification proves that you have taken necessary steps to protect sensitive information, both your own as well as customer information, against unauthorized access.
The Need for Information Security
Today, Information Technology (IT) is an essential and complex element of almost every organisation. IT integrates everything from the email you send, to the documents you create, to the information you keep on clients and suppliers.

With the proliferation of connected devices, it has become easier for individuals to access this information on a global level. With greater ease of access, however, it also becomes easier for unauthorized users to obtain your organisations corporate and customer data. If we consider current events and world news, they all scream with names of IT perpetrators such as Julian Assange, the whistle-blower who released thousands of private diplomatic cables on his organisation’s website, “WikiLeaks”. The release of these sensitive documents allegedly compromised governmental intelligence, placing lives in jeopardy.

In the private sector, we hear of large corporations such as American Airlines, who just recently had over 350 credit card numbers stolen from their passengers. The thief? — One of American Airlines’ clerks. Frighteningly enough, credit card theft on such a level is certainly not an isolated incident.
What is an Information Security Management System (ISMS)?
From internal emails to sales materials to financial statements, organisations of all sizes from all industries deal with large amounts of information each day. To an organisation like yours, this information is a competitive advantage – it’s how you solve problems, land big clients, and grab your share of the market. The goal of the ISMS is to protect the information that differentiates your business, both online and in person.
Principles of an Information Security Management System
While the production, implementation and maintenance of an ISMS will vary from organisation to organisation, there are underlying security principles that must be followed to make an ISMS effective at protecting an organisation’s information assets. These principles – a few of which are mentioned below – will build towards a successful ISO/IEC 27001:2013 certification.

The first step in successfully implementing an ISMS is to make stakeholders aware of the need for information security. Without buy-in from both senior management and the people who will implement, oversee, or maintain an ISMS, it will be difficult to achieve and maintain the level of diligence needed to create and maintain a certified ISMS.

In order for an organisation’s ISMS to be effective, it must analyse the security needs of each information asset and apply appropriate controls to keep those assets safe. Not all information assets need the same controls, and there is no silver bullet for information security. Information comes in all shapes and sizes, as do the controls that will keep your information safe.

Implementing an ISMS is not a project with a fixed length. To keep an organisation safe from threats to your information, an ISMS must continually grow, improve and evolve to meet the rapidly changing technical landscape. Therefore, continual reassessment of the ISMS is a must. By frequently testing and assessing an ISMS, an organisation will know whether their information is still protected or if modifications need to be made.
Information Security Management is a Process
Just as organisations adapt to changing business environments, so must Information Security Management Systems adapt to changing technological advances and new organisational information. In order to adapt to these changing conditions, ISO/IEC 27001:2013 takes a process approach to an ISMS by utilizing the Plan-Do-Check-Act methodology.
Overview of Certification
An Accredited Registrar may certify your ISMS to ISO/IEC 27001:2013. Such certification provides your organisation with the credibility needed to do business into today’s information-rich world. Like many other ISO standards, ISO/IEC 27001 certification involves a three-stage audit process:
Gap Analysis - (Stage 0)
The first part of your ISO/IEC 27001:2013 journey is the gap analysis. This is where your current policy, procedures and processes will be reviewed and a certification timeline will be created, reviewed and agreed.
Informal Review of ISMS - (Stage 1)
In the first stage of your ISO/IEC 27001:2013 audit, auditors will do an informal review of your ISMS. This review will include actions such as checking for the existence of key ISMS documents and reviewing the overall ISMS. The goal of this stage is to familiarize the auditors with your organisation and for you to get to know the auditors.
Formal Conformance Audit - (Stage 2)
The second stage of your ISO/IEC 27001:2013 audit is the formal audit. This is a thorough and detailed review and test of your Information Security Management System against the ISO/IEC 27001:2013 requirements. During this phase, auditors will interview key employees to test their understanding of your ISMS. Provided your organisation’s system complies with the ISO/IEC 27001:2013 standard, this audit will result in your ISMS being certified to ISO/IEC 27001:2013.
Follow-up Audits
The final stage of ISO/IEC 27001:2013 certification is a recurring audit to ensure that your ISMS is continually being evaluated and improved. A follow up audit – done at least annually – is meant to confirm that your organisation remains compliant with the standard. These audits may be done more frequently in the beginning, particularly while you’re ISMS is still maturing.

Deciding to pursue a certified Information Security Management System is a big step for any organisation, but the potential rewards are great. Armed with a certified ISMS, your organisation will be able to bid contracts more competitively, attract more customers, and ensure all stakeholders that the information that keeps your business running is protected.
For more information about our ISO/IEC 27001 services please Contact Us
Download our Full Service Catalogue