Have you noticed ISO 27001 certification cropping up on an increasing number of RFI and tender documents?
If so, you’re not alone.
According to the BSi(1), more government contracts – and, increasingly private sector contracts – are now stipulating that the successful supplier should have ISO 27001 Information Security Certification.
ISO/IEC 27001 is an international standard that relates to the management of information security.
As such, it is a blueprint for implementing best-practice standards.
It offers a framework to help you establish, implement, operate, monitor, review, maintain and continually improve an information security management system (ISMS).
The standard was originally published jointly by the International Organisation for Standardisation and the International Electrotechnical Commission in 2005. It was revised in 2013.
Achieving an ISO 27001 certification enables you to demonstrate the highest standard of information security to your customers (and potential customers).
ISO 27001 requires business-wide commitment to attain and maintain to the highest levels of risk identification and mitigation in information management. It’s a powerful indicator that your organisation takes information security seriously.
The minimum cyber security standard(2) sets out the cyber security standards that government expects departments to adhere to and exceed wherever possible.
This includes the need to identify and catalogue sensitive information, systems and accounts and to protect and maintain them, as well as standards for threat detection, response and recovery.
Since two key foundations of ISO 27001 are the development of a comprehensive asset register (including data assets) and a risk register, it is well suited to demonstrating compliance with the MCS standard.
Furthermore, because the standard also states that all parties should look to exceed the requirements wherever possible – and that the requirements will be heightened as time goes on – going beyond the minimum requirements of Cyber Essentials to achieve ISO 27001, to an extent, serves to futureproof compliance.
There is a great deal of preparatory work in an ISO 27001 certification.
The development of a comprehensive asset register, which includes all information assets held in the organisation, is the first step. More than likely, this will require the involvement of users across the business. It will also require an effective management system to hold the register. This should be easily updatable, so that the various business users can input and update information about the assets they “own”.
After you have mapped out the data and systems throughout the organisation, you’ll need to compile risk assessments. Each item on your register will need to be defined in terms of risk and mitigation. The risk treatment plan and statement of applicability are key documents required for an ISO 27001 compliance project.
Once you have compiled this information and implemented any necessary actions, you’ll need a properly accredited certification body to review your management system documentation, check that you have implemented appropriate controls and conduct a site audit to test the procedures in practice.
• Staff awareness training and clear explanations about why you are going for certification and the actions that underpin certification will help to support the change, encourage involvement and create opportunities for ongoing improvement.
• Specify an ISMS: a single searchable system that holds all asset, data, risk and mitigation information enables far easier management and facilitates ongoing improvements.
• Expert assistance: if you’ve not worked towards ISO 27001 before, reach out to an experienced partner to help you get underway. The Grant McGregor team can help you to create and build out your asset and risk registries. We can also help you establish the required policies and procedures and map them against the controls of ISO 27001. Plus, we’ll help you get ready for inspection and certification.
As a blueprint for best practice standards in information security, working towards ISO 27001 will undoubtedly reveal additional opportunities for improvement within your current operations.
As such, it will expose opportunities for you to strengthen your organisational security posture.
Achieving ISO 27001 will help you to reassure partners throughout your supply chain that you are committed to good information management practice. This is especially important in data intensive industries, where compliance with, for example, GDPR is a major concern.
It will also reassure new potential partners that you are committed to good information security and should, therefore, help you to win more business.
Furthermore, it’s a great way to demonstrate to regulators you are going the extra mile to meet your information security obligations. An ISO 27001 certification helps to underline that you have worked to implement technical measures that meet the requirements of GDPR set out in Article 32. Demonstrating such commitment will be important if you do suffer a breach. It may serve to mitigate any fines you to which would otherwise have been subjected.
If you have any further questions about ISO 27001 – what it is, how to achieve it, or how we can support you – please reach out to our team.
You can reach us below:
Sources:
1. https://www.computerweekly.com/news/2240063139/Tender-conditions-drive-ISO-27001-update
2. https://www.gov.uk/government/publications/the-minimum-cyber-security-standard