ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard published in October 2005. Its full name is ISO/IEC 27001:2013 – Information technology — Security techniques — Information security management systems — Requirements but it is commonly known as “ISO 27001″.
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.
Most organizations have a number of information security controls. Without an ISMS however, the controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Maturity models typically refer to this stage as “ad hoc”. The security controls in operation typically address certain aspects of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less well protected on the whole. Business continuity planning and physical security, for examples, may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
Significant benefits in achieving ISO/IEC 27001 certification include
- Keeps confidential information secure
- Provides customers and stakeholders with confidence in how you manage risk
- Allows for secure exchange of information
- Allows you to ensure you are meeting your legal obligations
- Helps you to comply with other regulations (e.g. SOX)
- Provide you with a competitive advantage
- Enhanced customer satisfaction that improves client retention
- Consistency in the delivery of your service or product
- Manages and minimizes risk exposure
- Builds a culture of security
- Protects the company, assets, shareholders and directors
We will design the system around your existing business practices wherever possible and if necessary help you to identify and resolve issues where you do not conform to the ISO 27001 certification standard.
Once the system has been implemented, we will arrange for your system to be fully audited by one of our auditors, before recommending you for your ISO 27001 assessment by the external Certification Body.