ISO 27001:2013 Certification/ Registration
Our proven route to ISO 27001 Certification is standard & as ISO 9001: Initial visit/Gap Analysis – Document System – Support/Train/Provide all Documentation – Internally Audit – Correct Audit Findings – Support during Independent UKAS Assessment: Fixed Cost Guaranteed UKAS Certification – First Time – Every Time
Our systems help you manage & protect both your own & your customer’s data.
In an ever increasing age of security awareness & media exposure of careless information handling, the protection of data is critical. Sectors such as finance, health, public and IT have become particularly sensitive. Hence, certification to ISO 27001 is increasingly a “must have” for winning new contracts (or just hanging on to the old ones).
Our ISO 27001 Certification Process:-
ISO 27001 Information Security Management System (ISMS)
Top Management must define a Mgt System & methodology that is appropriate to control its Information Assets & evaluated risks. We take away the pain & fully document the System for you
ISO 27001 Statement of Applicability
The company must fully review clause by clause, the requirements of the ISO 27001 standard. It should then complete a “Statement of Applicability” identifying the controls necessary to address each clause as applicable. We further take the pain away by giving you a Statement of Applicability anonymised but already completed for companies very similar to yours. We instruct on how to customise specific to you.
ISO 27001 Risk Evaluation
The company must then define a risk assessment methodology for Information Security (IS) risks, compliant to ISO 27001. Identify criteria for accepting risks and identify the acceptable levels of risk. Develop a Risk Treatment Plan to bring all identified risks to an acceptable level. Again we provide a completed template & instruct on how to identify your specific Information Assets & formally Assess. You then with our help –
Identify all information security assets in the company and compile the Asset/Risk Register. An asset can be information sitting on Servers, Personal Laptops or indeed knowledge stored in people’s heads
Identify combinations of threats and vulnerabilities relating to the asset (an IS Aspect), and then identify the impacts that losses of confidentiality, integrity and availability may have on the asset completing the Asset/Risk Assessment Register.
The impacts take into account the business, legal or contractual obligations that the company has.
The assessment then looks at the likelihood of the security failure occurring by a combination of the frequency of the threat and the likelihood of success.
A combination of the impact and likelihood of the security failure provides a level of the risk normally in three categories:
Low Risk: No immediate action required although there may be improvements in processes/technology that reduce the impact of the security failure further.
Medium Risk: Must be included in the management review of the IMS with actions identified if required and inclusion in the Risk Treatment Plan.
High Risk: Must be included in the Risk Treatment Plan for positive actions to reduce the risk.
The Asset Risk Assessments are then included in the ISO 27001 Information Security Management Review Meeting, the meeting identifies a risk treatment plan for High and selected Medium Risks, identifying timescales, actions and responsibilities to complete.
ISO 27001 Auditing
A full Internal Audit against the requirements of ISO 27001 must then be completed prior to independent assessment by a UKAS Approved Certification Body. This can be seen as a Dummy Run which we complete for you & help correct any findings. Finally we hand hold you through the Independent UKAS Certification Assessment!