ISO 27001

ISO 27001:2013 Certification/ Registration

Our proven route to ISO 27001 Certification is standard & as ISO9001: Initial visit/Gap Analysis – Document System – Support/Train/Provide all Documentation – Internally Audit – Correct Audit Findings – Support during Independent UKAS Assessment – Fixed Cost Guaranteed UKAS Certification

Our systems help you manage & protect both your own & your customer’s data.

In an ever increasing age of security awareness & media exposure of careless information handling, the protection of data is critical. Sectors such as finance, health, public and IT have become particularly sensitive. Hence, certification to ISO 27001 is increasingly a “must have” for winning new contracts.

ISO 27001 requirements:-

ISO 27001 Information Security Management System (ISMS)

Top Management must define a policy & methodology that is appropriate to control its Information Assets & evaluated risks.

ISO 27001 Statement of Applicability

The company must fully review clause by clause, the requirements of the ISO 27001 standard. It should then complete a “Statement of Applicability” identifying the controls necessary to address each clause as applicable.

ISO 27001 Risk Evaluation

The company must define a risk assessment methodology for Information Security (IS) risks, compliant to ISO 27001. Identify criteria for accepting risks and identify the acceptable levels of risk. Develop a Risk Treatment Plan to bring all identified risks to an acceptable level.

  • Identify all assets of the company relating to information security and compile an Asset Register.

  • Identify combinations of threats and vulnerabilities relating to the asset (an IS Aspect), and then identify the impacts that losses of confidentiality, integrity and availability may have on the asset using an Asset Risk Assessment Report.

  • The impacts take into account the business, legal or contractual obligations that the company has.

  • The assessment then looks at the likelihood of the security failure occurring by a combination of the frequency of the threat and the likelihood of success.

  • A combination of the impact and likelihood of the security failure provides a level of the risk normally in three categories:

    • Low Risk: No immediate action required although there may be improvements in processes/technology that reduce the impact of the security failure further.

    • Medium Risk: Must be included in the management review of the IMS with actions identified if required and inclusion in the Risk Treatment Plan.

    • High Risk: Must be included in the Risk Treatment Plan for positive actions to reduce the risk.

The Asset Risk Assessments are included in the ISO 27001 Information Security Management Review Meeting, the meeting identifies a risk treatment plan for High and selected Medium Risks, identifying timescales, actions and responsibilities to complete.

ISO 27001 Auditing

A full Internal Audit against the requirements of ISO 27001 must then be completed prior to independent assessment by a UKAS Approved Certification Body.