ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEMS
ISO 27001 is an internationally recognised standard for information security (InfoSec) management, incorporating data management, cybersecurity, and privacy protection. It defines the requirements for an effective system that can be applied to any type and size of organisation. It’s not just for the IT Crowd. We can help you to establish and implement your information security management system (ISMS), either from scratch or by transitioning to the latest requirements, making sure you gain (and/or retain) your ISO 27001 certification.
ISO 27001 is used by businesses of all shapes, sizes and sectors to create and manage an effective information management system. This is no small feat in today’s world with the voracious way we produce, transmit, process, store and consume data! The digital world is continually transforming itself, so it’s no surprise that ISO 27001 needed to be revised in 2022 just to catch up.
Published jointly by ISO and the International Electrotechnical Commission (IEC), ISO 27001 covers how your ISMS should be established, implemented, maintained and continually improved. The key to this standard is showing how your ISMS is woven into the fabric of the business from the management structure, through systems, processes, people, technologies and let’s not forget the physical world where many data breaches still occur.
The standard is all about risk and control. In short, it requires you to assess your information security risks in terms of Confidentiality, Integrity and Accessibility (CIA) then apply rigorous controls. Again this is not just about IT – your controls will need to cover organizational, people, physical and technological aspects of your business.
Whether you are setting out for the first time with the standard, or need to transition to the latest version, we can help you to navigate the detailed requirements and ensure that they work effectively for your organisation.
Yes.
This standard can be applied to any organisation, of any size, in any sector. It is not just aimed at “IT-specific” businesses. IT systems lie at the heart of most businesses and having an information security management system robustly implemented to this standard can provide a solid basis for embedding good working practices, risk management, and cyber resilience. Even if you are running on paper and old-fashioned filing cabinets, the chances are you would be scuppered if confidential, business-critical or sensitive information were to be lost, stolen, corrupted, destroyed or obtained by the wrong type of individual or organisation.
It’s not about IT, it’s about information security. If your business could be severely impacted by data theft, data leaks, cyber-crime, commercial espionage, loss of physical information assets, or simple lack of security awareness and discipline, then ISO 27001 is relevant to you.
In the age of the internet, our world runs as much on information as it does on energy. As information management become more complicated, the number of threats and vulnerabilities rises and closing all the loopholes just gets more and more difficult. From private networks to internet connectivity, servers and data centres to cloud services, process automation to IoT, cryptography to blockchain to big data. Technology is a big enough reason for most organisations to worry about information security.
Every customer wants, needs and expects you to secure their information. Equally, they expect you to stay in business to support them, which means securing your own information and the organisation and infrastructure required for business continuity. This means securing the assets, systems, processes, technologies, equipment, people and buildings that store or process that information.
Whether dealing with your own “back-office”, your external support or your customer-facing systems you need to ensure that you can identify and understand your InfoSec risks and think about your security needs in a structured way. You could try to find your own way to do this, but why re-invent the wheel? And why wait until you suffer a breach of confidentiality, loss of data or major outage? Still not convinced? Ask yourself this:
How important is the confidentiality, integrity and accessibility of your data? How about your customers’ data? And the data you hold about your staff and suppliers? Not to mention commercial, financial and legal information. Then there is your intellectual property (IP) which can be anything from the design of your products, the founder’s secret ingredient, production methods developed over decades or even centuries, research breakthroughs, tech solutions racing to market, the wizardry of your people, the state of your finances…need we go on?
Now think about the many ways that information could be leaked (confidentiality), damaged (integrity) or lost (availability). Just thinking about the information in your IT systems probably brings on a headache. Try getting your head round the IT system itself. How secure are your servers, desktops, laptops, tablets, phones, user accounts, subscriptions, connections, systems, databases, applications, cloud services, free apps and those old but crucial software programs designed on the cheap by a couple of undergraduates many summers ago. If you’re not worried about that, what about your employees – how security conscious and trustworthy are they – especially when disgruntled or on their way out? Are your policies, procedures and technological controls robust enough to prevent or minimise the damage? And what about the premises you occupy – would it really be that difficult for a gang of bored teenagers to break in, a fire or flood to start and spread, or a power failure to take out the business and render all data inaccessible? It could be disastrous for any organisation. If you happen to be a provider of information or data services, weak InfoSec could spell the end.
ISO 27001 and its sister standard ISO 27002 provide a structure and a menu of controls that you can use to manage the risks. Demonstrating compliance with ISO 27001 will also help your organisation to embed an InfoSec culture which protects the company, its assets, and its stakeholders. Whether you are transitioning from the earlier version of the standard - or are just starting out with it - QFactorial can support you to maximise the benefit to you and to help you towards certification.
We are, first and foremost, a quality management consultancy. And we are really keen on the consulting part. By engaging with us you can be assured we will listen carefully to your story and understand the details of what you want, and what you need (which are not always the same thing!). Our consultants can then offer you a uniquely tailored solution. We're Quality People, and we understand how to bend and shape the ISO framework to add value to your business.
The world has been changing at an unrelenting pace in relation to information technology. With new developments, regulations and the impacts of threats happening all the time, the safety and security of the information so many depend on can seem under constant threat. The standard was updated and revised in 2022 to address some of these changes.
Whilst the front part of the standard aligns with the structures of ISO 9001 and other management system standards, the more detailed and difficult Annex A includes a complete refresh of the InfoSec controls, including new concepts, new controls, detailed enhancements and a whole new structure. Transitioning may be a challenge for many businesses, but we think the new structure makes a lot more sense and is therefore worth the effort.
ISO has established timeline for organisations who are certified to the 2013 version to migrate to meeting the 2022 requirements. All ISO 27001: 2013 certificates will expire by October 2025. The clock is ticking, and it’s better to get ahead of the game now then wait until the last minute!
QFactorial can help your business to make the required transition effectively, and if you are starting out for the first time, we can support you in using this standard to establish a robust and effective system that will help you to manage your information security risks.
ISO 27001: 2022 sets out key considerations linked to the strategy, risk controls, policies, processes and measures you need to have in place for planning, implementing, maintaining (and continually improving) a robust IT security management system. In this latest revision there are changes throughout the main clauses, a number of new and changed requirements, and a major change relating to information security controls.
The standard lists requirements about the needs and expectations of your interested parties, your leadership, planning, and the assessment of risks and opportunities. It considers support requirements such as the resources, competence and communication of your people, and the operational controls, performance measurement and improvement aspects which contribute to the effectiveness of your information security management system.
In assessing your information security risks, you will need to determine the controls your organisation needs and show that no necessary controls have been left out. Annex A contains a reference list of information security controls (not exhaustive) which is centred around organisational controls, people controls, physical controls and technological controls.
With our extensive knowledge of the standard, and an eye to the needs and benefits for your business, we can support you to build a robust, effective and compliant information security management system.
Anyone can use ISO 27001 as a tool for establishing, developing, and improving their information security management system. You may be an organisation working specifically in the IT sector, but you don’t have to be – the standard is growing in use by all kinds of services and manufacturing as well as private, public, and non-profit organisations.
You may already be familiar with ISO 9001, in which case you may understand the outline structure and basic principles that you need to make a start. But even if not, you can use ISO 27001 to “say what you do” and then think about how you can prove that you “do what you say” when it comes to the confidentiality, integrity and availability of the information you use . Your risk assessment will drive you to think critically, and regularly, about the weaknesses in your systems and the potential threats so that you can really develop your system to deal with them effectively. You will then need to consider the organisation, processes, controls and training you require to make your system workable, operationally secure and resilient – and to keep improving it.
We can help you to document your ISMS in a way that meets the requirements of the standard but also works for you and how you actually operate. We can support you by identifying the gaps between where you are and where the standard needs you to be, and we can recommend changes and improvements to address them in a way that’s relevant for you and your team. We can work with you to implement and develop your system and can support you however much or little you need. We are here to help you to succeed, not only to meet the requirements of the standard, but to continue to develop and maintain your compliance as your business grows.
Certification by an independent, accredited body is the best demonstration of your compliance to ISO 27001. Certification means that your system is scrutinised and verified on a scheduled basis through an external audit programme. It is an excellent way of confirming your application of your own system – to yourselves, to regulatory bodies and to your stakeholders.
In the UK, certification to ISO 27001 should be undertaken through one of the certification bodies accredited by UKAS, the UK’s National Accreditation Body for certification, calibration, inspection and testing services. Only UKAS-accredited certification bodies are recognised by the UK Government and major purchasers, and they operate programmes for transition to the new revision of the standard, as well as for new clients.
We can help you to choose a UKAS-accredited certification body and can support you through the certification process. We can help you however you need us to, whether by preparing documentation, training and mentoring, reviewing and auditing, or by working with you to develop and integrate your system beyond certification so that it always meets your needs as well as the requirements of the standard.
Whether you are certified to the previous version of ISO 27001 and need to migrate to the new standard, or you are just starting out, the process towards certification requires planning, commitment, and resources. How much work is involved will depend on your current stage of development, the size of your organisation and the number of people involved. We will work closely with you to identify your gaps and synergies against the requirements of the standard, and to develop a workable action plan to achieve your certification in the most efficient way. Our effective project management and extensive know-how will support your schedule and budget with the resources tailored to help you at every stage.
Whether you are migrating from the old version of the standard or approaching the new 2022 revision for the first time, there are requirements to define processes, maintain documented information and to communicate the importance of information security within your organisation. Apart from new formatting and updating the numbering of clauses, there are some changes to incorporate too, along with a variety of documents and records which may be mandatory, dependent on your risk assessment.
We can help you to update or build your system and document the requirements in the most effective ways. We don’t believe in producing a tome of paper that thuds onto the desk once a year when the auditor asks to see it. We want to create a tailor-made, usable, readable and (dare we say) useful ISMS that actually helps you run your business efficiently and effectively. So, whether you are just starting to develop your ISMS, or have a system that now needs updating to meet the revised standard, we can help.
How long is a piece of string?
You’re not a cookie-cutter company, so we don’t deal with cookie-cutter prices. But let’s talk about what makes up the cost of ISO certification:
- Finding out where you’re starting from, where you need to be and how to get there. (GSAAP).
- In house resources to manage and deliver the work plan.
- External consultants to help with parts of the plan that are outside your skills and experience (or time).
- Certification Body.
- Maintenance of your certification. Not just polishing the frame.
Depending on the size, scale and complexity of your organisation, you may need more or less consultancy time. We can work with you based on a specific number of days at an agreed rate, carefully scoped, fixed price work packages, or a combination of both to suit your budget.
There is a difference between certification and accreditation. In the UK there is only one government approved accreditation body (UKAS). When your customers are asking to see your ISO certification, they expect to see the UKAS logo alongside the certification body’s logo. Without this, your customer may reject the certificate and you may find you've a costly exercise to undo the commercial damage, upgrade your system and put yourself through the certification process all over again. We can help you choose a UKAS accredited certification body to make sure you aren’t going to get any awkward questions later.
We’ve been in this game a long time now and have developed a proven system of tackling the requirements of ISO certification with you. We begin with our Gap & Synergy Assessment with Action Plan (GSAAP for those acronym lovers) which shows us how close you already are to the standard requirements. We find, usually, that there are many more synergies than you’d expect - you’re running a successful business after all, aren’t you?
This gives us a head-start when creating the ISMS and gives you the opportunity to get to know your consultant and confirm you enjoy working with us before embarking on the good ship certification. At this point you’re able to take the GSAAP and run, but of course we’d like to think you’d want to keep working with us to help you with the documentation (Stage 1) and implementation (Stage 2).
We help share the load by reviewing what you create, or creating things for your review - business manuals, process maps, policies and procedures, etc. Once this is all done, there’s a desktop audit by the certification body to check all your documentation complies with the rigours of your chosen standard - and yes, we can be involved in this as your advocate, interpreter, translator or referee. Stage 1 is all about ‘saying what you do’ as a business. But you can’t just say what you do, you also need to ‘do what you say’. Stage 2 is all about those documents coming off the page and becoming a ‘real’ entity in your business. The burden of proof is on you to show that your system, as you’ve set out in Stage 1, is working as you say it should be. It takes time to gather this body of evidence, anywhere from 2-3 months, and this evidence can take various forms. Our role during Stage 2 is to provide training, mentoring, internal audits and management reviews to ensure your business is ready for the Stage 2 external audit. It’s entirely normal for a few ‘nonconformities’ to arise, especially at this stage, but we’ll be there to help you deal with them and make sure you get that recommendation for certification.
At this point you’re able to take your new ISO Certificate, pat yourselves on the back for a job well done and send us on our merry way, happiness all round. However, we recommend you stick with us for this first year. Why? So we can help establish quarterly health checks to keep things ticking over. No one wants to be thrown into a full-blown panic 11 months down the line as the surveillance visit looms and you realise things have gotten a little wobbly. With us on board that little while longer, you can be sure that the gears are turning and the processes are followed so when the auditor returns, you’re armed and, if not dangerous, at least prepared.