ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEMS
Our simple approach to ISO 27001 compliance:
Are you interested in becoming ISO 27001 certified?
ISO 27001 is the most well established and widely recognised of all standards for information security management. Becoming ISO 27001 certified is a significant accolade and can open doors to new business opportunities. Many organisations have heard of the ISO 27001 standard but still only a minority have actually achieved approval. Would you like to add UKAS accredited ISO 27001 certification to your business credentials? This page is all about about the ISO process, including ISO 27001 audits and ISO 27001 consultancy. For help with ISO 27001 or to speak with an ISO 9001 consultant, use the enquiry button at the bottom of the page.
What is ISO 27001 and why is it important?
ISO 27001 is an internationally recognised standard for the design, development and implementation of an information security management system (ISMS). It can be applied to any type or size of organization in any business sector. Its clauses define the baseline requirements for an ISMS in functional terms, i.e. it describes what you need to control without telling you how to run your business. The importance of ISO 27001 derives from its universal recognition as a badge of commitment to information security, coupled with a declared intent to continual improvement of information security performance. Of all the information security programmes available, ISO 27001 is the most suitable for SMEs taking their first step to establish the structures and processes necessary for sustainable growth.
Already certified but need to simplify or modernise?
If you are one of those more mature businesses for whom ISO 27001 has long been a fact of life, we invite you to consider if your current information security management system has evolved with your business and used the risk toolkit in ISO 27001 to manage the emerging threats and increasing cyber security risks. QFactorial is adept at modernising and simplifying legacy information security management systems to meet the changing needs of organizations as their business context evolves and security threats become more realistic and sophisticated.
Benefits of ISO 27001, information security management systems and certification
Most business leaders answer this in terms of customer and market demand. “I need ISO 27001 to prequalify for a tender process” or “In this market we are up against competitors who already have ISO 27001, and this seems to give them an edge.” Even if neither are true, you may have an opportunity to get ahead of the competition by being the first to be awarded an ISO 27001 certificate. But the certificate is only half the story. The real value is in having an information security management system that brings control, compliance, governance, assurance and continual improvement to the way you look after your information, data and systems. With or without certification, ISO 27001 is a great starting point for developing a mature ISMS to support your business strategy and objectives.
Key features and requirements of the ISO 27001 standard
ISO 27001 is fully aligned with ISO 9001. This means that the basic structure and overarching management controls are the same, so you can integrate your ISO 27001 solution with your ISO 9001 solution. There are of course some specific technical additions focused on information security concerns, however the overlaps in management areas are worth exploiting to minimise the administrative burden. Some of the key features of ISO 27001 include: leadership, policy, objectives, planning, resources, competence, communication, documentation, operations, emergency preparedness, legal (and other) compliance, nonconformance, risk assessment and treatment, incidents, performance evaluation, internal audit, management review and improvement. The biggest challenge is to deal with the 114 Annex A controls in a pragmatic and risk-based manner.
Certification and accreditation
The first thing you need to know about certification and accreditation is that ISO certificates are not all created equal. The world is not a perfect place and there are good and bad ISO certificates. The bad ones are those that cost a few pounds/dollars and require virtually no work to gain and retain. Obviously, these have no real value and carry the risk of embarrassment or loss of a contract if anyone checks the credentials of the “certification body”. To avoid this minefield, make sure you get a UKAS-accredited certificate. The UKAS accreditation mark is an important indicator of the validity of any ISO 27001 certificate issued in the UK. It demonstrates that the certification body awarding the certificate is approved (accredited) by UKAS to carry out audits and issue certificates. Other international accreditations may be valid by multi-national agreement, but only UKAS has this authority granted directly by the UK Government.
Choosing an ISO 27001 consultant
There are many good reasons for partnering with an experienced and knowledgeable consultant when implementing ISO 27001. The first is that it is very easy to over-egg the ISO pudding if you try to implement the standard clause by clause instead of using a risk-based approach. You must also avoid consultants who clone solutions from templates or impose standard documentation that doesn’t look or feel like the way you want the business to run. A good consultant will translate and interpret the jargon of ISO 27001 into business language in the most cost-effective and pragmatic way for your business. A good consultant will give you the tools to make your ISMS work and show you how to use them. Finally, a good consultant will challenge you during internal audits and be your advocate in external audits.
Choosing an ISO 27001 auditor (certification body)
An important task for any ISO consultant is to advise you on the selection and appointment of a suitable UKAS-accredited certification body. This should be done with due diligence, just like any other critical purchase. One of the founding fathers of quality management, W Edwards Deming, said we should end the practice of awarding business on price alone. This rule should apply equally when selecting auditors – and indeed consultants! Other factors include sector experience, resource availability, peer recognition, geographical coverage and scope of accreditation.
Working with your ISO 27001 consultant - the QFactorial approach
At QFactorial we have a very simple approach to ISO projects, regardless of the size or type of client, the maturity of your ISMS or the complexity of your systems and processes. We use our unique Q!Diagnostic method to generate a detailed and specific Information Security Roadmap. This will be our guide through the collaborative design, development and implementation of your new or revised information security management system.
Stage 1 ISO certification – passing the desktop audit
All certification bodies follow a two-stage model, starting with the Stage 1 documentation audit. This is often known as a desktop audit as it mainly consists of the auditor visiting your premises to read and review the documents that describe and demonstrate your policies, objectives, metrics (KPIs), processes, procedures, instructions, plans, decisions, check points and other ISMS controls. The general approach during the ISO 27001 Stage 1 audit is “explain how you have implemented each element of the standard and where you have documented it in your ISMS”. Questions will be asked at this stage, but detailed investigation and evidence of the ISMS in action is reserved for Stage 2.
Stage 2 ISO certification – passing the physical audit
Having established the theoretical compliance of the ISMS with ISO 27001 during the Stage 1 audit, Stage 2 is more about checking that the ISMS is fully and consistently implemented in practice. Typically, this will involve interviews with members of your team at all levels of the organisation, sampling from a range of processes and functions. The general approach during the ISO 27001 Stage 2 audit is “tell me how this works, take me to where it happens, introduce me to the people, show me the evidence”.
Remote ISO consultancy and remote audit under Covid-19 restrictions
During the coronavirus pandemic the ISO audit process has moved online with both stages taking place via MS Teams, Zoom or other video conferencing tools. These have become widely known as remote audits and are considered just as valid as the site visits previously undertaken. Now that remote auditing has been proven to work, it is expected to remain as part of the audit toolbox, especially for Stage 1 and perhaps Stage 2 where there is only office activity and no production, construction or service delivery to be witnessed.
To learn more about gaining ISO 27001 certification or upgrading your information security management system, simply click the enquiry button and a QFactorial consultant will contact you to discuss your specific needs.
Speak with a Qfactorial expert