ISO27001 is the international standard for Information Security, and there are several reasons for deciding that certification is a business requirement. For some companies, it becomes a requirement to get shortlisted for new work. For others, it can be a way for management to ensure good security practices are in places as they grow or to have a risk-based approach to effectively manage security risks in a constantly changing business environment.
Does a company need to be a certain size to get ISO27001?
NO – we have helped companies of all sizes on their journey to certification. From a two man ‘virtual’ company to one with offices in several countries. Check out our case studies for details of some of the companies we have worked with.
To get ISO27001 certification a company needs to maintain policies, procedures and other documents. But it doesn’t need to be a large number, although you can approach it that way. Only document what is required to make a company operate effectively and to meet the parts of the standard which state that documentation is needed.
Some facts about ISO27001
|It consists of Clauses and Controls that can be used to protect the confidentiality, integrity and availability of ‘Information Assets’||An ‘Information Asset’ is anything used by a business to function and deliver products/services – electronic and physical records, IT kit, buildings etc.||Certification is split into Stage 1 and Stage 2 audits. Stage 1 is a check that core requirements are met. Stage 2 checks the details for all Clauses and the selected Controls, and there is evidence to back this up|