What is ISO 27001?
This standard considers everything about risk to information held by your organisation. It is designed to ensure that you are able to select adequate and proportionate security controls that protect your information assets and, most importantly, give your customers and other interested parties confidence that you are able to deal with their information properly and treat it with respect.
The standard consists of three core principles, which are
- confidentiality – which is about not disclosing or making available your information to unauthorised individuals, entities or processes, both internally as well as externally, by ensuring that you are controlling access to it and not giving out information where it is not required
- integrity – which is about ensuring that information is both accurate and complete, thus protecting your information assets from becoming corrupted and therefore not only useless, but also potentially damaging to your reputation and customer confidence
- availability – which is about ensuring information Is available in a timely and useable fashion to those that need it and that only authorised people are allowed to access to it
Like many of the ISO management system standards, ISO 27001 is based on the Plan-Do-Check-Act methodology and has been designed to be similar in structure to other management system standards. This ensures that all of these standards can easily be integrated by users.
What are its benefits?
Implementing and maintaining an information security system in itself has benefits, but using the internationally recognised and respected ISO 27001 standard clearly demonstrates that you have taken a sound, systematic approach to this, especially if you can show you have gained accreditation by a UKAS approved certification body (see links below to understand why UKAS approval matters). Key benefits are
- demonstrating the integrity of your data and systems and your commitment to information security
- providing new business opportunities with those customers who have security at the front of their minds
- allowing you to enforce information security and reduce the possible risk of information loss or fraud
- enhancing the credibility of your organisation
How we can help you implement and maintain it
We have a wealth of experience in
- developing information security systems that are effectively integrated within your organisation and, if appropriate, with management systems based on other standards e.g. ISO 22301
- training staff and managers in ISO 27001 and internal auditing against the standard
- security planning and security awareness training
- supporting management teams through the ISO certification process – we only work with certification bodies approved by UKAS * or, outside of the UK, members of the International Accreditation Forum (IAF)
- conducting readiness reviews/gap analysis in preparation for certification audits
Why use a certification body accredited by UKAS or IAF to certify your quality management system? See related links to the right on why this matters.
Ask The Expert
Related pages and links
How not to choose a certification body unfit for purpose
If the body awarding your certification is not itself operating to internationally recognised standards, you could find yourself implementing something of no real value to your organisation. UKAS and its overseas equivalents (only one per country) are appointed by Government to help you avoid this potential pitfall.
Each country’s Government appointed accreditation body is a member of the International Accreditation Forum (IAF).