ISO27001 is the international standard for Information Security, and there are several reasons for deciding that certification is a business requirement. For some companies, it becomes a requirement to get shortlisted for new work. For others, it can be a way for management to ensure good security practices are in places as they grow or to have a risk-based approach to effectively manage security risks in a constantly changing business environment. Having ISO27001 certification helps with GDPR, but you don’t need certification to meet the GDPR requirements; it helps with aspects such as meeting the Accountability principle and Data Protection by Design and Default.
After deciding to go for certification a company needs to find out what this means for them. There are plenty of online resources and books that list out the requirements, and you can buy the standard (it isn’t a free download). However, these are unlikely to answer all the questions as the standard is scalable and the impact on each company will be different. The key things you need to know are:
- The standard requires management to demonstrate there is a commitment to provide resource – time, people, funding – to set up and maintain the infrastructure to support the standard
- If you already have an ISO certification, e.g. 9001 or 14001, you should be able to reuse the existing management structure for 27001
- You don’t need to have policies and documents for everything, but there are requirements to keep documented evidence for some things, e.g. information security policy, scope and risk assessment process.
- A Risk Assessment is required that identifies and evaluates risks on the confidentiality, integrity and availability of information assets (electronic and physical). There also needs to be a Risk Treatment plan.
- There needs to be evidence to prove that what you say will be done is being done and there is a programme of internal audits. This can be a shock to some companies who see this as very bureaucratic and possibly another sign that the UK/EU/[Add name of your pet bureaucratic hate!] want to make life as difficult as possible for businesses. But this is an International standard and it isn’t a tick-box exercise or one where you can simply buy a set of templates and insert your company name. This takes us back to commitment – if you cannot commit to doing this, certification isn’t for you. The evidence needed is proportionate to the information security risks that need to be managed and to show that the standard is applied effectively. Done correctly, this isn’t going to result in a full-time job for anyone or producing documents that no one reads.
- Certification can only be awarded by approved companies. UKAS is the body that does the approval in the UK – beware of companies that are not UKAS approved as certifications they issue may not be seen as valid by many organisations. UKAS maintain a list of approved companies on their website. WADIFF Consulting doesn’t award certification, we help companies prepare for it and support them in ongoing work to retain it. The certification process has Stage 1 and Stage 2 audits. The Stage 1 audit checks the basics are in place to support ISO27001 requirements. Stage 2 goes into the details and checks for evidence.
- There will be external costs. At a minimum, this will be for certification. Certification bodies calculate the time they require to do audits from the details in Annex B of ISO27006:2015. Costs will vary as their day rates vary. Other costs can be for external consultants – such as WADIFF Consulting 😊 – and to purchase templates and tools.
Getting started on the journey to certification
If you have a member of staff that has implemented the standard before they should be able to tell you what needs to be done. If they have worked in a supporting role, e.g. doing internal audits, they should be able to give an outline of what has to be done. If you want independent advice, talk to a consultancy with a track record in preparing companies for certification.
WADIFF Consulting has successfully supported a two-man virtual company to get ISO27001 certification – they needed it as it is a requirement for their target market – so we know it can be done for the smallest companies. And we have worked with bigger companies as well.
Get in touch for information about how we can help with ISO27001
t: +44 (0)7941 188462