Achieving your ISO 27001 certification

In world where data is the forefront of any business, being certified for compliance is something that all businesses should be considering. Security breaches are becoming far to common with attackers evolving in complexity and frequency and data is therefore vulnerable. The ISO 27001 certification takes this into account and provides a risk-based approach to implement an Information Security Management System (ISMS) in order to protect the data assets and systems of a business.

What is the ISO 27001?

The ISO 27001 certification is essentially a framework of standards for information security created by the International Organisation for Standardisation (ISO). A set of specifications are set out to create and maintain an effective ISMS. The purpose of the ISMS is to help businesses handle critical information and prevent data from being mishandled, lost or destroyed.

Why is it important??

We know that cyber attacks have been on the rise and many businesses have been successfully breached, so it’s important to take measures to protect business, employee, customer and supplier data.  Achieving the certification is an indication that your information security risks are being well managed, data is being handled effectively and that your business is proactive rather than reactive.

The certification is valuable to all businesses because it helps to “establish, implement, operate, monitor, review, maintain and continually improve an ISMS”. Should an issue arise, the processes outlined by an ISMS will determine what steps should be taken to tackle the error and reduce future risk.­ This certification is recognised world-wide and shows that your business is aligned with information security best practice.

What are the benefits?

Client confidence

Any business partnerships you create, whether that’s with a supplier or a customer, will be assured that their data will be kept safe from external or internal threats. This also shows your commitment to taking cyber security seriously.

Competitive edge

Doing business in today’s world revolves around staying ahead of the game and competitive. It’s always essential to stand out in front of the crowd. Achieving the ISO 27001 proves that you’ve met the full standards of information security, demonstrating a competitive edge and adding value to your business in the marketplace. And don’t forget, this is going to help your sales team with prospective clients too!

Reduced cyber risk

Although ISO 27001 doesn’t necessarily have the ability to directly reduce the number of attacks, it can reduce the chance of attackers succeeding. The certification encourages businesses to be ‘security first’, anticipating, staying on top of and remediating any weaknesses.

Compliance

Your ISO 27001 certification is hard proof that you comply with information security to international standards. Regulators can then understand that your business takes information security seriously across other legislations and regulations (E.g. GDPR and Data Protection Act).

The process of achieving the ISO 27001 accreditation

Before jumping into the two stages of accreditation, there are three main pillars to be considered – people, processes and technology.

People

You’ll need a leadership team to guide the processes and implementation, and ensure that business goals are being considered and that leaders are taking the accreditation seriously. Auditors will want to see that senior leaders understand the accreditation and what that could mean for the business. You don’t want to get into a situation where a senior leader gets caught out in front of an auditor, it doesn’t look professional or show dedication.

Processes

All processes are crucial when it comes to implantation, and especially reducing risk. This will involve defining roles and documentation that will be used to reduce risk.

Technology 

This is an important part when it comes to an effective cyber security strategy and to prevent threats. But without the right technology in place, not having the right processes and people will create vulnerabilities.

Stage 1 Assessment

The initial first assessment will be a review of your current documented processes in order to determine how much or how little your business already meets the requirements of ISO 27001. Once this stage is completed, you can expect a final report which will include what happened in the assessment, along with an overview of next steps and areas of improvements to achieve the certification. Some areas may needed to be acted on immediately, others can be review during the next assessment.

Stage 2 Assessment

Your auditor will take into account if any issues identified in the previous assessment have been attended too. You’ll also need to provide evidence of internal audits and management reviews to prove to the auditor that correct processes are in place and that you have the means to mitigate risks of a data breach in accordance to the ISO 27001. At this point it will be decided if your business meets all the requirements and whether you’ll be awarded the certification.

Some key steps to Implementing an ISMS

• Scope the project
• Getting leadership involved
• Manage and secure the budget
• Conduct a risk assessment
• Documenting to the necessary documentation
• Planning staff awareness training
• Consistently measuring, monitoring, reviewing and auditing the ISMS

How to maintain your ISO 27001 compliance

1. Make use of the ISMS

Ensure that you keep your ISMS a priority and make use of it. You should be implementing all procedures and requirements that are a part of the ISO 27001.

2. Keep your documentation updated

As business evolve and grow, policies and procedures can also change, so it’s important to update the appropriate documentation and make it a part of your management system to ensure compliance.

3. Keep up with risk assessments and regular testing

New threats are always emerging, that’s why risk assessment strategies should also be updated to keep up with this. Testing your environment on a regular basis will also help identify risks in order to quickly remediate the issue.

4. Perform internal audits

Regular audits are also an important part of maintaining your certification. There might have been issues they may have been overlooked, especially when multiple factors need to be considered. Auditing will uncover anything that has been missed.

How we helped a key client achieve their ISO 27001 certification

OryxAlign has previous already successfully achieved the ISO 27001 accreditation and till date remains compliant. Due to thorough knowledge of the process and what’s required,  an award winning data centre client reached out to our team for guidance in which our team took a consultative approach to aid in completing the ISO accreditation as a service.

The first stage was to complete an initial assessment to understand their current environment in terms of meeting requirements. The assessment was carried out according to the accreditation criteria and then reported back to our client to initiate further steps and complete the accreditation process.

Following on from achieving the accreditation, our team supplied the client with an on-site engineer and Network/Infrastructure engineer on a quarterly basis to spend a full day compiling information that is required by the auditors for when audits are conducted yearly to ensure they remain compliant. Whilst there is a high-level list of collating necessary information, some of the information that was collected included evidence that backup testing and patching across the estate is being carried out monthly, firmware updates are being done bi-annually and that security and password policies were up to date.

Looking to get ISO 27001 certified? Contact us for a consultation to get started.