Information is the main asset of any company. As organisations we are aware of the large amount of sensitive data that is handled within organisation´s systems and, therefore, must remain accesible, but also secure.
Therefore, it is essential to defend the information we store in our companies, since, if not, it could affect the continuity and development of the business, not to mention what it would entail at the legal level.
As more information, more risks? It doesn’t have to be. Instead, we are all clear that, the more valuable our customer information is, the greater the risk of beign vulnerable. Therefore, who protects the information of your company, protects your client.
ISMS + ISO 27001: The Perfect Couple
How do we defend it? It’s easy. In the Information Security Management System (ISMS) that allows organisations to manage and minimise the risks related to information security so that the most effective and consistent controls are adopted with each company’s business strategy.
The implementation and certification of this system offers a guarantee of confidentiality, integrity and availability of stored data and, here comes ISO 27001. Three letters and five numbers that, apparently could be a postal code, instead, is an international regulation that born with the objetive of allowing any organisation (regardless of size or activity) to assess the risk and apply appropiate controls to preserve the confidentiality, integrity and availability of information assets.
Currently, the presence of this standard stands out in companies dedicated to information technology services, as well as insurance companies, companies in the transport sector, governments, etc.
What are the Objectives?
The fundamental objective is to protect the information of your organisation so that it does not fall into the wrong hands or is lost forever, in addition to ensuring its security. Another objective is the identification of the risks that arise from the mass storage of information. The last objective is to facilitate the understanding of the standard and its integration with management systems.
The current version of ISO 27001 is divided into two parts. The second part establishes the control objectives and the reference controls and the first part consists of the following ten points:
- Object and field of application.
- Rules for consultation.
- Term and definitions. They are based on ISO/IEC 27000.
- Context of the organisation.Needs and expectations within and outside the organisation that directly or indirectly affect the information security management system are determined.
- Leadership. Senior management must have a commitment to the management system, establishing policies, ensuring the integration of security sustem requirements in the organisation’s processes.
- Planning. Security risks must be assessed, analyzed and evaluated. In addition, the objectives and plans to achieve these objectives must also be defined at this point.
- Support. The resources allocated by the organisation are defined.
- Operation. The planning of the operation, as well as the assessment of the risks and their treatment.
- Evaluation. Due to the importance of the PDVA cycle (Plan, Do, Verify, Act), monitoring, measurement, análisis and evaluation of the information management system must be carried out.
As we have said before, ISO 27001 is a standard aplicable to any company. Do you want to leave a mark on the security of your client? These are the essential steps to carry out the certification process:
First phase: the first 14 steps
We never understood the principle of the road as the part where it is the most, however, if we talk about security it’s necessary to build a Good base to reach the top without any difficulty. Therefore, in this pase of the process we must implement 14 basic steps:
- Obtain mannagement support throughout the implementation process.
- Use a Project management methodology.
- Define the scope of the Security System.
- Write a specific policy.
- Define a risk assessment methodology.
- Write the Risk Treatment Plan.
- Define how progress will be measured.
- Implementation of controls.
- Train and create work teams.
- Perform the daily operations described in the standard.
- Monitor the actions.
- Conduct and Audit with personal belonging to the company.
- Conduct a review by management.
- Implement the relevant corrective measures.
Second phase: stand up and look back. Everything okay?
It is the parto f review. Once the chosen certificate authority has been requested to be certified, a group of professionals outside the organisation Will review the documentation required in the standard.
Third phase: Let’s walk together
Once it has been verified that the organisation has the required documentation, the group of auditors Will visit the company to confirm that it complies with the minimum indicators established in ISO 27001. If not, it Will be given a deadline to apply the necessary corrections and to appear again before the auditors. But if the answer is positive, the company Will be certified.
Fourth pase: Have you arrived? There is much to go
After the certificate has been issued, the certifier Will carry out a series of periodic audits during the next three years to monitor the organisation’s efforts in Information Security. The idea is that controls are maintained and efforts are not minimised during that period.
Advantages of obtaining Certification
The advantages to take into account with the ISO27001 certification seem quite obvious, but, if we have any doubts, these are some of them:
- Improvement of business management and security for shareholders, customers, consumers and suppliers.
- The investment is destined where it is necessary since, through the evaluation, the threats to the assets are identified, the vulnerability and risk of occurrence are evaluated.
- Minimize the risks inherent in information security (data los, theft, corruption, etc.).
- Ensure legal compliance.
- It Will generate trust in customers ensuring good data management.
- Motivate staff and raise awareness of the importance of information security.
Our team experts highly qualified help companies and their personnel in the preparation for ISO 27001 certification. Through our training we guide you throughout the certification process, giving you the necessary guidelines for Get ISO 27001 certification successfully.