ISO 27001– Information Security Management System

ISO 27001 is the internationally recognized standard for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

ISO 27001 Information Security Management System

Many of the benefits of implementing an effective ISO 27001 Information Security Management System (ISMS) relates to being proactive in preventing Information Security incidents and if they do occur addressing them in a timely manner.

Another benefit is to be prepared when an Information Security breach happens and being able to implement actions to minimise the impact of the breach and disruption to business.

Using our experience we will guide you from implementation to certification. This is something what we at EQS have done successfully over the past years.

An ISO 27001 Information Security management system and an SO 22301 Business Continuity management system are interwoven with one another, as they have complementary requirements in both standards which will further serve to drive your organisation towards your brand integrity and customer confidence.

ISO 22301 Business continuity Management System

The most obvious benefit of an ISO 22301 Business Continuity Management System (BCMS) is that it decreases the amount of “down time” associated with your business disruptions, and time is money. By implementing the requirements of ISO 22301 you ensure that the requirements needed for a robust management system is in place thereby minimising your business risks and ensuring controls are in place and being maintained.

EQS can assist you with your Business Continuity Management System implementation up to the point of being ready for external certification

Sections of best practices

There are 114 controls in 14 clauses and 35 control categories. These sections specify the best practices for:

  • Business continuity planning
  • System access control
  • System acquisition, development and maintenance
  • Physical and environmental security
  • Compliance
  • Information security incident management
  • Personnel security
  • Security organization
  • Communication and operations management
  • Asset classification and control
  • Information Security policies

Achieving certification to ISO 27001 demonstrates that your company is following information security best practice.

The typical stages in implementing ISO 27001 is:

There are 114 controls in 14 clauses and 35 control categories. These sections specify the best practices for:

ISO 27001 GAP Analysis:

identify which requirements of ISO 27001 are already addressed in your current management system and identify areas which must be addressed in more detail to align it with the ISO 27001 standard.

Planning session Determine and document

  • the scope of the management system,
  • context of the organisation with focus on external and internal parties and issues,
  • Core business process applicable in the organisation; and
  • The Information Security Management System policy.

Risk Assessment:

Facilitate the identification of information assets and conduct risk assessment, establish risk treatment processes and compile the Statement of Applicability.

Policy & procedure facilitation:

Facilitate the identification, compilation and implementation of internal policies and procedures as selected from the ISO 27001 Annexure A controls

ISO 27001 Overview training Facilitate a workshop to familiarise the management team/staff to the concepts and requirements of the ISO 27001 standard.

Conducting internal audits:

It is a requirement to conduct at least one full set of internal audits as well as a management review prior to certification. We are competent to deliver this service

  • Facilitate the implementation of actions required to address identified for non-conformities
  • Facilitate the management review meeting
  • Facilitate external certification assessment

Implementing an Information Security Management System based on ISO 27001 will involve your whole organisation including interdependencies with other systems. An Information Security Management System is specific to the organisation that implements it, so no two ISO 27001 projects are the same.

Please NOTE: Stages of implementation could be facilitation as a complete project or could be broken down and EQS can assist with only selective parts as per your requirements

Contributing factors to successful implementation:

  • Own it from the top and ensure all senior managers are on board and involved.
  • Ensure the ISMS is a living process that is built into the culture of the organization so that it continues to function.
  • Prioritise the process within the organisation; this is something that is going to happen and explain why to get companywide buy in.
  • Engage an experienced third party to drive the process from outside the organisation to ensure progress continues even when the pressure is on.
  • Do your risk assessment first and then base all your security controls on the risks you have identified. Do not start implementing controls because they sound good, otherwise you will tie yourself up in knots and do a lot of unnecessary work.
  • Ensure this project is present in all strategic plans, budgets and resource allocations.
  • Keep communication lines open and maintain transparency of the entire process.
  • Ensure it is not viewed as an IT project, with only IT staff in the project team.
  • Avoid difficult technical language, keep it short, simple and practical.
  • Focus on business risks/issues and not technical issues only.
  • Make it part of your normal day to day operations.
  • Keep considering environmental changes, amend the risk assessment modify, statement of applicability and related controls.

Benefits of an ISO 27001 ISMS:

  • It demonstrates compliance with customer, regulatory and/or other requirements;
  • It helps to win new business and retain existing customers;
  • Manage, monitor, audit and improve your organisation’s information security practices in one place, consistently and cost-effectively;
  • Avoid potential financial penalties and losses associated with information breaches;
  • By regularly identifying and managing your information security risks it assists you in keeping up with constantly evolving information security threats;
  • Alignment of information security approach with the organization’s strategic objectives;
  • It keeps customers intellectual property and valuable information secure;
  • Provides customers and stakeholders with confidence in how you manage risks and opportunities;
  • Delivers a set of appropriate technical controls, policies and procedures for reducing, monitoring and reviewing risks;
  • It improves internal structures and clarifies who is responsible for which information assets;
  • Promotes a culture and awareness of information security that makes sure information security is entrenched across the business;

Obtaining certification to ISO 27001 provides independent assurance that your ISMS has been audited in accordance with internationally accepted standards for good information security practice.

Effective Quality Solutions can assist with the implementation of an ISO 27001 Information Security Management System.