ISO 27001– Information Security Management System
ISO 27001:2013 has been updated! ISO27001: 2022 is now released
Are you already certified ISO27001:2013
Are you implementing or planning to implement ISO27001:2013
Certified clients will be required to transition to the new standard.
Do you what to know how and when you may transition to the new standard ISO/IEC27001:2022?
Give us a call and we will discuss and advise on your case.
Sections of best practices
There are 114 controls in 14 clauses and 35 control categories. These sections specify the best practices for:
Achieving certification to ISO 27001 demonstrates that your company is following information security best practice.
The typical stages in implementing ISO 27001 is:
There are 114 controls in 14 clauses and 35 control categories. These sections specify the best practices for:
ISO 27001 GAP Analysis:
identify which requirements of ISO 27001 are already addressed in your current management system and identify areas which must be addressed in more detail to align it with the ISO 27001 standard.
Planning session Determine and document
- the scope of the management system,
- context of the organisation with focus on external and internal parties and issues,
- Core business process applicable in the organisation; and
- The Information Security Management System policy.
Risk Assessment:
Facilitate the identification of information assets and conduct risk assessment, establish risk treatment processes and compile the Statement of Applicability.
Policy & procedure facilitation:
Facilitate the identification, compilation and implementation of internal policies and procedures as selected from the ISO 27001 Annexure A controls
ISO 27001 Overview training Facilitate a workshop to familiarise the management team/staff to the concepts and requirements of the ISO 27001 standard.
Conducting internal audits:
It is a requirement to conduct at least one full set of internal audits as well as a management review prior to certification. We are competent to deliver this service
- Facilitate the implementation of actions required to address identified for non-conformities
- Facilitate the management review meeting
- Facilitate external certification assessment
Implementing an Information Security Management System based on ISO 27001 will involve your whole organisation including interdependencies with other systems. An Information Security Management System is specific to the organisation that implements it, so no two ISO 27001 projects are the same.
Please NOTE: Stages of implementation could be facilitation as a complete project or could be broken down and EQS can assist with only selective parts as per your requirements
Contributing factors to successful implementation:
- Own it from the top and ensure all senior managers are on board and involved.
- Ensure the ISMS is a living process that is built into the culture of the organization so that it continues to function.
- Prioritise the process within the organisation; this is something that is going to happen and explain why to get companywide buy in.
- Engage an experienced third party to drive the process from outside the organisation to ensure progress continues even when the pressure is on.
- Do your risk assessment first and then base all your security controls on the risks you have identified. Do not start implementing controls because they sound good, otherwise you will tie yourself up in knots and do a lot of unnecessary work.
- Ensure this project is present in all strategic plans, budgets and resource allocations.
- Keep communication lines open and maintain transparency of the entire process.
- Ensure it is not viewed as an IT project, with only IT staff in the project team.
- Avoid difficult technical language, keep it short, simple and practical.
- Focus on business risks/issues and not technical issues only.
- Make it part of your normal day to day operations.
- Keep considering environmental changes, amend the risk assessment modify, statement of applicability and related controls.
Benefits of an ISO 27001 ISMS:
- It demonstrates compliance with customer, regulatory and/or other requirements;
- It helps to win new business and retain existing customers;
- Manage, monitor, audit and improve your organisation’s information security practices in one place, consistently and cost-effectively;
- Avoid potential financial penalties and losses associated with information breaches;
- By regularly identifying and managing your information security risks it assists you in keeping up with constantly evolving information security threats;
- Alignment of information security approach with the organization’s strategic objectives;
- It keeps customers intellectual property and valuable information secure;
- Provides customers and stakeholders with confidence in how you manage risks and opportunities;
- Delivers a set of appropriate technical controls, policies and procedures for reducing, monitoring and reviewing risks;
- It improves internal structures and clarifies who is responsible for which information assets;
- Promotes a culture and awareness of information security that makes sure information security is entrenched across the business;
Obtaining certification to ISO 27001 provides independent assurance that your ISMS has been audited in accordance with internationally accepted standards for good information security practice.
Effective Quality Solutions can assist with the implementation of an ISO 27001 Information Security Management System.