ISO 27001

Setting the standard in achieving information security best practice

ISO 27001, also known as IEC 27001:2013, is an internationally recognised and widely adopted standard for information security. It takes a risk-based approach to securing an organisation’s most valuable information – whether that’s in digital or physical form.

The standard has no ties to any specific vendor or technology. Rather than focusing on the latest technical solutions, ISO 27001 helps organisations to manage risks to the business from accidental or deliberate misuse of confidential information.

In effect, ISO 27001 provides a framework for best practice in managing your information security. Unlike self-regulated standards, being certified to ISO 27001 involves having an independent external organisation verifying at least once a year that you operate your security appropriately.

  Manage your IT security risk

 ✔ Keep confidential data secure

 ✔ Improve your business processes

  Meet third-party risk assessments

  Comply with regulations

  Protect your organisation’s reputation

There may be some external reasons why you need to become certified. Some organisations may be subject to regulations such as GDPR, HIPAA or the EU NIS directive; ISO 27001 can help to demonstrate compliance. In other cases, companies must show they follow best practice information security to become an approved supplier to a large enterprise. Becoming certified has been shown to help smooth the due diligence process during an acquisition. It may also reduce your cyber insurance premiums.

The latest version of the ISO 27001 standard provides a set of standardised requirements for an information security management system, or ISMS for short. This combines into one place the various processes, documents, technology and people that you will use to manage, monitor, audit and improve your information security. By becoming certified to the standard, you will have a process-based approach for setting up, operating, monitoring and maintaining your ISMS.

Put another way, following information security best practice makes good business sense.

It’s a myth that ISO 27001 is for large organisations only; even companies with fewer than 10 employees find it’s valuable to get certified. Every organisation, regardless of industry, has confidential information such as customer data, payroll information, financial data or intellectual property. Whether regulated or not, organisations have a duty to protect that information.

ISO 27001, also known as IEC 27001:2013, is an internationally recognised standard of good practice for information security. It takes a risk-based approach to securing an organisation’s most valuable information – whether that’s in digital or physical form.

The standard has no ties to any specific vendor or technology. Rather than focusing on the latest technical solutions, ISO 27001 helps organisations to manage risks to the business from accidental or deliberate misuse of confidential information.

In effect, ISO 27001 provides a framework for best practice in managing your information security. Unlike self-regulated standards, being certified to ISO 27001 involves having an independent external organisation verifying at least once a year that you operate your security appropriately.

What is our process?

We start by ensuring that the certification efforts have support from the highest levels of the business. That’s critical to ensuring not just a successful project but a sustained culture of security in your organisation, no matter what size.

Whether your organisation needs to measure your current information security practices against the ISO 27001 standard, or achieve certification to the standard, we provide the following steps:

  • Gap analysis – This phase determines the current status of your ISMS against the requirements of ISO 27001. Through first-person interviews, we evaluate the security controls and identify areas for improvement to enable certification to the standard. At the end of this phase, we produce a report outlining areas to address and steps to doing so.

  • Risk assessment workshops – The workshop entails identifying information security assets, developing a risk assessment methodology that suits the organisation’s needs, identifying risks and building a risk treatment plan. This is another critical stage in the process, because it determines what levels of risk the organisation is prepared to accept, and it identifies unacceptable risks. This process also involves identifying human, process or technical controls to manage the risks appropriately. The outcome of this stage is a comprehensive document along with tools to enable the business to maintain its risk management and risk assessment programmes.

  • Aligning your ISMS with ISO 27001 – We can help with aligning your ISMS with the standard. We conduct a thorough exercise that encompasses: clauses of the standard that are relevant to your ISMS; an overview of the organisation’s activities and services; current information security manuals or policies; business continuity strategy; copies of internal audits to date; control of documents within the scope of the ISMS; how the organisation can identify any weaknesses within its ISMS; outlining how internal ISMS audits will be conducted, by whom and how often; describing the risk assessment methodology; a copy of the information security risk assessment report, that includes identified unacceptable risks, as well as risk treatment plans to mitigate those risks.

  • Implementation – To achieve certification to ISO 27001, it is essential to show that you are applying the standard rigorously to your ISMS. This means ensuring all policies and procedures are properly documented an up to date; making all staff aware of the relevant processes and procedures; assigning certain staff with information security roles and making clear what those roles entail; maintaining audit logs and other evidence as proof you adhere to policies and procedures.

  • Internal audits – An internal audit that regularly checks the ISMS, or sections of it, is a requirement for continuous certification to ISO 27001. This ensures it continues to follow the guidelines se out in the standard. We can provide this audit as a service, with scheduled audits to an agreed timeframe with your organisation.

  • Training – We provide a range of training courses around ISO 27001 that outline the principles of information security and their importance to an organisation. We combine course materials with practical exercises, tips and case studies. The training helps information security managers, senior managers, quality professionals and IT staff to identify the benefits of implementing ISO 27001 and to understand the basics of information risk management.

ISO 27001 enables a company to implement a qualitative approach to risk management, and gives mechanisms to address, reduce and manage those risks. Talk to us today to find out more about how we can provide tailored, cost-effective packages based on your organisation’s size and risk profile.

Contact Us

Let’s Talk

Please leave your contact details and a member of our team will be in touch shortly.

  • By submitting my information I consent to my data being processed by BH Consulting. For further information please read our privacy statement.