The Service

ISO 27001 is an internationally recognised and widely adopted standard for information security. It takes a risk-based approach to securing an organisation’s most valuable information – whether that’s in digital or physical form.

ISO 27001 helps you manage risks to your business from accidental or deliberate misuse of confidential information. Above all, complying with ISO 27001 provides you with a best practice framework for managing information security. Unlike self-regulated standards, being certified to ISO 27001 involves having an independent verification, at least once a year, that you control security appropriately.

At BH Consulting, we help clients implement ISO 27001 efficiently and effectively, whether they are looking to achieve full certification or just wishing to align with ISO 27001.

The Benefits

  • Manage your IT security risk

  • Keep confidential data secure

  • Improve your business processes

  • Meet third-party risk assessments

  • Comply with regulations

  • Protect your organisation’s reputation

The Challenge

Any organisation that has confidential information they need to protect such as customer data, payroll information, financial data or intellectual property should consider aligning with or getting fully certified to ISO 27001.

There may also be some external reasons why you need to become certified. Some organisations may be subject to regulations such as GDPR, HIPAA or the EU NIS directive; ISO 27001 can help you demonstrate compliance. Additionally, you may have to show that you follow best practice information security to become an approved supplier to a larger enterprise. It may also help reduce your cyber insurance premiums.

Our Process

At BH Consulting, we start by ensuring the certification efforts have support from the highest levels of your business. That’s critical to ensuring not just a successful project but a sustained culture of security in your organisation, no matter what size.

Whether you need to measure your current information security practices against ISO 27001, or achieve certification to the standard, we provide the following steps:

This phase determines the current status of your Information Security Management System (ISMS) against the requirements of ISO 27001. Through first-person interviews, we evaluate the security controls and identify areas for improvement to enable certification to the standard. At the end of this phase, we produce a report outlining areas to address and steps to doing so.

The Risk Assessment workshop entails identifying information security assets, developing a risk assessment methodology that suits the organisation’s needs, identifying risks and building a risk treatment plan. This is another critical stage in the process, because it determines what levels of risk the organisation is prepared to accept, and it identifies unacceptable risks. This process also involves identifying human, process or technical controls to manage the risks appropriately. The outcome of this stage is a comprehensive document along with tools to enable the business to maintain its risk management and risk assessment programmes.

We help to align your Information Security Management System (ISMS) with the ISO 27001 certification. The activities in this phase include assessing clauses of the standard that are relevant to your ISMS; an overview of the organisation’s activities and services; a review of current information security manuals and policies and a review of the business continuity strategy and also copies of internal audits to date. We also look at the control of documents within the scope of the ISMS; how your organisation can identify any weaknesses within its ISMS and outline how internal ISMS audits will be conducted, by whom and how often. We describe the risk assessment methodology; provide a copy of the information security risk assessment report that includes identified unacceptable risks, as well as risk treatment plans to mitigate those risks.

To achieve certification to ISO 27001, it is essential to show that you are applying the standard rigorously to your ISMS. This means ensuring all policies and procedures are properly documented and up to date; making all staff aware of the relevant processes and procedures; assigning certain staff with information security roles and making clear what those roles entail; maintaining audit logs and other evidence as proof your organisation adheres to policies and procedures.

An internal audit that regularly checks the ISMS, or sections of it, is a requirement for continuous certification to ISO 27001. This ensures it continues to follow the guidelines set out in the standard. We can provide this audit ‘as a service’, with scheduled audits to an agreed timeframe with your organisation.

We provide a range of training courses around ISO 27001 that outline the principles of information security and their importance to an organisation. We combine course materials with practical exercises, tips and case studies. The training helps information security managers, senior managers, quality professionals and IT staff to identify the benefits of implementing ISO 27001 and to understand the basics of information risk management.

Let’s Talk

Please leave your contact details and a member of our team will be in touch shortly.

  • By submitting my information I consent to my data being processed by BH Consulting. For further information please read our privacy statement.