ISO27001 Information Security Management
ISO27001:2013 is the internationally recognized Information Security Management System Standard (ISMS)
ISO 27001:2013 is an internationally accepted standard that outlines how to put an effective Information Security Management System in place. It is designed to help businesses ensure they are aware of the security of the data they either own themselves, or are entrusted by their customers. An ISO 27001:2013 system provides the framework to allow you to meet increasingly high customer expectations of corporate responsibility as well as legal or regulatory requirements.
Its main purpose is ensuring the effective management of data security with the aim of ensuring there are no data loss incidents that would compromise both their integrity and reputation.
Implementation of ISO 27001 can take place in many ways. If a company has the resources and the time they may very well attempt to do it internally by purchasing the standard and starting from scratch. The manager may decide to do this or a team may be set up to handle the implementation aspects of ISO27001.
If you take this route you must remember the time commitment involved. First, learning the standard and making sense of it can be a time consuming process.
By using the services of a consultant the time you have to spend will be greatly reduced and will ultimately work out cheaper. A good consultant should always set out with the goal to empower management with a working knowledge of the standard which will eventually lead to the company seemingly integrating and managing the practices with little to no help from the consultant, or simply calling the consultant in if things get to hectic or for specific advice or assistance.
Continual improvement is a major factor of ISO27001 and this includes improving the management’s knowledge of the standard. The standard itself even goes through revision and continual improvement with new issues released every few years; the current version having been released in 2013. At Revision Management Systems we like to think we will enhance managements knowledge of the content of the standard as well as implement a fully working ISMS.
Be wary of consultants who aim to make the standards appear to be overly complex or some sort of guarded secret. By allowing a business management system to be implemented that you do not fully understand you run the risk of relying on that consultant full time to run your system. That’s very good business for the consultant but not so good for the company. If you want to have regular visits from a consultant then this is fine but it should be because you want them in order to enhance operations and for assistance not because you have to due to the fact you don’t fully understand your own quality management system.
At Revision Management Systems we have adopted the following stages to successful implementation; remember, this is not set in concrete so if you require more or fewer visits this can be arranged. This following method applies to companies starting from scratch with no prior knowledge to ISO27001.
Certification should be carried out by an independent UKAS accredited certification body who will follow the following process when coming onto your site when carrying out assessment audits.
A stage one visit will be a purely documentation based audit and may not even take place on site. It is simply checking that the documentation that you have in place meets the requirements of ISO9001 and providing any information on improvements that are needed in order to meet the requirements of the standard and then recommendations for a stage 2 visit. If the assessor comes on site a tour of the business and an idea of how advanced implementation is could be touched upon.
Following a successful stage one audit the stage two audit will be looking at actual implementation, audits, and records. Evidence of management commitment etc. This is a more thorough audit and basically makes sure that what is documented is happening in the business.
If successful the assessor will recommend the company for certification where his report will go to an independent panel, then it will be either accepted or rejected. If successful the certificate will be issued
Certification runs on a 3 year cycle with over view visits taking place on the first 2 years after then a technical review taking place on the 3rd visit. The amount of visits can vary depending on the size of the organization and the certification body.