ISO 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls. This can help you to protect your information assets and give confidence to any interested parties, particularly your customers. The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving your ISMS.
Who is it relevant to? ISO 27001 is suitable for any company, large or small, in any sector or part of the world. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors. ISO 27001 is also highly effective for companies which manage information on behalf of others, such as an IT outsourcing company. ISO 27001 can be used to assure customers that their information is being protected.
Benefits? There are various benefits for implementing ISO 27001 these include:
- Help minimise and manage security risk
- Third party assessment verifies that the company’s risks are properly identified and assessed
- Certification improves the company’s marketing potential by providing assurance to business partners
- Certification demonstrates that relevant laws and regulations are being observed
- Can provide a competitive advantage within the market place by meeting pre-tender requirements
The implementation process
- Define an information security policy
- Define scope of the information security management system
- Perform a security risk assessment
- Manage the identified risk
- Select controls to be implemented and applied, prepare SoA (a “statement of applicability”)
- Review management practices with a view to obtaining ISO 27001 certification
- Carry out internal audits and management review