ISO/IEC27001:2013 is the international standard that provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).
As the fear of security issues increases in business, customers are looking for reassurance from companies who are likewise seeking reassurance from their suppliers that information security is being managed to ensure protection of their data. For many companies the solution to responding to these concerns is alignment with ISO27001.
This article covers some of the key points we have found that will make ISO27001 work for your business.
The first recommendation is to establish an Information Security Management System manual. This manual provides the framework for the businesses Information Security Management System (the ISMS). It defines the approach to information security, as well as the practices and procedures used to secure your information and supporting processes, systems and networks.
When considering the risk assessment methodology, keep it simple so that it enables a clear prioritisation to be identified when applied to all the information security assets.
When implementing an ISMS set clear objectives as this in turn will drive how you measure the success of the system. You will not know how good or how bad your ISMS is without a benefit realisation plan. Objectives to measure can include:
- Management Support: Visible support from management is key to ensuring the success of an ISMS, management must be committed to ensure mutual buy in. If management do not recognise the benefits or support the ISMS then the value is reduced;
- Culture: In order for ISO27001 to be successful, it must work within the culture of the company. An organisation can still meet requirements in line with how you work rather than changing the culture. In essence, ISO27001 must be integrated not imposed; and
- The Right Reason: ISO27001 accreditation in itself can have benefits, in attracting new customers for example. However it is important to obtain accreditation for the right reasons, do not just get the stamp but realise the benefits for the business.
When reviewing the ISMS, ask these questions;
- How do you know your security programme is working?
- What were your objectives?
- Does the solution you have chosen fit the business?
It is important to note than ISO27001 does not fix a poor ISMS, rather it provides the options to facilitate a good ISMS.
There are 2 audit stages in achieving certification. Part 1 is a review of the ISMS, including checking the existence and completeness of key documentation such as the organisations information security policy, Part 2 focuses on the Statement of Applicability and Risk treatment plans that have been identified. Whilst these parts can be combined into a single audit most companies find that having separate audits enables reassurance after part 1.
For more information in how ISO27001 can work for your business please contact us.