ISO 27001

Introduction

The rising value of information to organizations combined with recent high profile information security breaches, are highlighting the ever mounting requirement for organizations to protect their information. In order to ensure the continuity of your operations and the safety of your data and systems, the security of information systems and critical business information must be constantly and actively managed.
Unprotected systems are vulnerable to many threats, including computer-assisted fraud, sabotage and viruses. These threats can be internal or external, accidental or malicious. Breaches in information security can allow vital information to be accessed, stolen, corrupted or lost. It is crucial that every company institutes appropriate controls and procedures in place to avoid such incidents.

The internationally recognized information security management system ISO 27001 (better known as ISO/IEC 27001) is suitable for any organization, large or small, in any sector or part of the world where managing sensitive company information and keeping it secure from outsiders is importrant. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.

Background

ISO 27001 or more precisely ISO/IEC 27001:2005 Information technology, Security techniques, Specification for an Information Security Management System is an internationally recognized standard that governs the design, implementation, monitoring, maintenance, improvements, and certification in the area of Information Security Management Systems (ISMS). ISO 27001 is the formal standard against which organizations may seek independent certification of their ISMS.

The IT department is the main focus of ISO 27001 implementation, but the standard involves areas in the entire company as well. The main driver, sponsor, and promoter of the change must be the company’s management, while its IT is mainly responsible for its execution. In addition to management and IT, the departments that must be involved include HR, Training and education, building security, building maintenance, legal department as well as suppliers, outsourcing and, last but not least, employees.

ISO/IEC 27001 is also highly effective for organizations that manage information on behalf of others, such as IT outsourcing companies. This standard requires and organization to assure customers that their information is being protected.

ISO 27001:2005 Information Security Management Systems (ISMS) involves three core principles – confidentiality, integrity and availability, which, in turn, cover eleven areas:

Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and
Operations management
Access control
Information systems acquisition, development and maintenance
Information security
Incident management
Business continuity management; and Compliance

Basic Requirements

ISO 27001 requires the organization to:

• Analyze risks related to information security
• Define specific and optimal security goals (the standard requires a company to  specify its own security goals which an auditor verifies)
• Define defined and documented methods which all activities should follow
• Document all risks, goals, and methods
• Implement measures to mitigate and manage risks
• Assign accountability for risk management
• Measure information security
• Embed continuous improvement approach

What Certification Does

• Demonstrates the integrity of your data and systems and your commitment to information security
• Transforms the organization’s culture both internally and externally
• Allows enforcing information security and reducing the possible risk of fraud, information loss and disclosure
• Demonstrates the independent assurance of your internal controls
• Meets corporate governance and business continuity requirements
• Independently demonstrates that applicable laws and regulations are observed
• Provides a competitive edge
• Meets contractual requirements
• Demonstrates to your customers that the security of their information is paramount
• Verifies that your organizational risks are properly identified, assessed and managed,
  while formalizing information security processes, procedures and documentation

Benefits

• Enhances the credibility of your organization
• Opens up new business opportunities with security conscious customers Improves employee ethics
• Strengthens the climate of confidentiality throughout the workplace
• Provides a competitive advantage over companies that aren’t certified against ISO/IEC 27001:2005
• Reduces the risks associated with unsecured data and information
• Formalizes your corporate information system structure (infrastructure, buildings, cabling, environment, alarms, fire and flood prevention, access control, etc.)
• Effectively organizes all existing and necessary company IT security processes
• Protects vital business assets with regular backups
• Provides design of ongoing system optimization
• Potentially reduces insurance premiums with proven compliance
• Reduces the potential for law suits

IPS services

Certification – we provide assessment and certification to ISO/IEC 27001
We have assessors who are management systems experts and qualified in information security and IT. They have extensive industry experience, knowledge and skills to provide a thorough and objective audit of your information security management system. Benchmarked against best industry practice, an IPS certification will provide increased confidence in your own security measures. 

Next steps…
Please contact us for more information