What is ISO27001
ISO27001 is the International Standard for Information Security, and it is recognised across the World as the best practice framework which can be externally checked and certified by an independent body. By its own definition, it was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
Technology neutral and risk based
The International Standard is risk-based, but technology neutral. It requires the identification of all assets and their implied risk to the information security of the business. These risks can be mitigated by using the listed controls that cover all of the main processes and procedures that a business would encounter. The standard, as with other things like Health and Safety, needs to become part of the staff culture to be effective and requires leadership from above to maintain its effectiveness.
The six main elements
In the most simple outline it defines 6 key elements:
- Define a security policy
- Define the scope of the framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes
- Conduct a risk assessment
- Manage identified risks
- Select objectives and controls to be implemented
- Prepare a statement of applicability
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.
While it does not predicate specific information security controls, it does provides a checklist that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
What to look for in certification
All certificate bodies within the UK should be approved by UKAS (UK Accreditation Service).
The certificate for a business will last for 3 years and is subject to the certification body returning at regular intervals to check on compliance. This is at least once a year and dependent of the size and complexity of the business.
What can Coast Consultants offer?
ISO27001 Implementation Consultancy
ISO27001 Compliance Assessments
ISO27001 Internal Audits, where the certified business lacks the resource
Other News and Posts
Registered Office: Coast Consultants Ltd. Coastal Breeze, The Ridgeway Saundersfoot SA69 9JY
Copyright - ©Coast Consultants 2023