Protect your business with our ISO 27001 consultants
At ISOexcellence, our ISO 27001 consultants work hard every day to make our clients’ information security goals a reality.
ISO is the international standard for organisational information security published by the International Standardisation Organisation (ISO). These standards determine how information in a company should be managed to protect information and privacy.
The standards of ISO 27001 compliance can be applied to any business, large or small. ISO standards require sound methods and robust information security management. ISO 27001 was designed by the world’s top experts in the field of information security. ISO certified firms signal to their customers that they have taken the necessary steps to implement effective information security.
Why does ISO matter? In the last couple of years, ISO 27001 has become the most trusted information security standard in the world, with a growing number of companies certified.
Below we’ll list the four main reasons you should consider implementing ISO for your organisation.
Legal compliance
The implementation of ISO 27001 is a reliable way to ensure compliance with laws, regulations and contractual requirements. Get ahead of future regulations by proactively boosting your organisation security.
Risk Management
Protect your brand with robust security. Data breaches and perceptions of lax security can be a nightmare for your company’s reputation. ISO helps prevent data breaches from occurring, maintaining your customers’ trust in your company.
Marketing
With concern over data protection at an all-time high, you can use ISO certification to win over clients by emphasising your company’s robust security. Customers care deeply about the protection and security of their data.
Savings
ISO compliance will save you money in the long run. Data breaches are expensive to resolve. By investing in information security, you can avoid costly security breaches. ISO 27001 is specifically designed to prevent incidents before they occur.
Why pick us as your ISO 27001 consultant?
Experience you can trust
The biggest factor in choosing a consultant is experience. We boast a long history of serving clients across a variety of industries with their information security needs. Our expertise puts us miles ahead of the competition.
A solid reputation
We let our track record speak for itself. With positive client feedback and consistent satisfaction, we’re confident in our ability to serve you. Take a look at our reviews and testimonials to find out what makes us different.
Individualised treatment
At ISOexcellence, we can help you get ISO 27001 certified by understanding your needs and dedicating special attention to your company. Our committed professionals want to help your organisation grow, protect your brand, and keep your stakeholders safe.
Get an ISO 27001 Quotation
What is ISO 27001
ISO 27001 is an international standard for Information Security Management Systems. Initially published by the International Organization for Standardisation (ISO) in 2005, it sets out the requirements for establishing, implementing, maintaining and continually improving an information security management system.
What does ISO 27001 cover?
ISO 27001 is aligned to the ISO Annex SL (also known as Annex L from the 2019 edition) which sets out the standard headings for ISO standards to follow. The main headings contained in this and other ISO standards are:
- Scope
- Normative references
- Terms and definitions
- Context of the organisation
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
Sections 4 to 10 contain the main provisions for organisations to implement when setting up, maintaining and continually improving their Information Security Management System. Here’s a breakdown of sections 4 to 10 and what is required:
What are ISO 27001 requirements?
From the 10 sections within ISO 27001, Sections 4 to 10 contain the requirements an organisation must fulfil to achieve certification. The requirements of sections 4 to 10 include:
4. Context of the organisation
Organisations need to consider the planning, development, implementation and maintenance of the Information Security Management System including its scope, issues and interested parties and the processes necessary for its operation. These issues will need to be looked at as circumstances change and as otherwise appropriate.
5. Leadership
Top Management must demonstrate leadership and commitment to the Information Security Management System by ensuring an information security policy and objectives are established, resourcing the system, ensuring information security is integrated into the organisation’s processes, and assigning and communicating responsibilities and authorities for relevant roles. Top Management is defined in ISO 27000 (ISO/IEC 27000, Information security management systems — Overview and vocabulary) as the person or group of people who directs and controls an organization at the highest level, and can include Chief
Executive Officers, Chief Financial Officers, Chief Information Officers, and similar roles.
6. Planning
Planning the Information Security Management System involves giving proper consideration to issues and requirements identified under section 4, and determining risks and opportunities to be addressed to ensure the management system achieves its primary objectives. The organisation must define and apply documented processes for the identification, assessment and treatment of risk, and implement a risk treatment plan.
The organisation must select its controls, compare these against the controls set out in Annex A of the Standard, and produce a Statement of Applicability outlining which controls are implemented and the justification of their inclusion or exclusion. Controls listed in Annex A are taken from ISO/IEC 27002:2013 Information Technology – Security Techniques – Code of Practice for Information Security Controls.
Management must establish information security objectives, communicate and update them as appropriate, and determine who is responsible, when they will be achieved and how they will be evaluated.
7. Support
Organisations must provide the necessary resources for the establishment, implementation, maintenance and continual improvement of the Information Security Management System.
Organisations must determine the necessary competence of persons working under their control that affect information security. Evidence of competence or actions taken to achieve it must be retained.
Persons working under the control of the organisation must be made aware of the information security policy, their contribution to the effectiveness of the management system and the implications of not conforming to requirements. Additionally, organisations must determine what will be communicated, when (under what circumstances and within what time constraints), to whom, who will do the communicating and the process for such communications.
When creating and updating documentation, the processes must provide for appropriate identification, description, format, media, and review and approval for suitability and adequacy. Document control must address additional points such as: distribution, access, retrieval and use, storage and preservation, control of changes, and retention and disposition. Document control processes must also address documentation of external origin.
8. Operation
Each organisation must plan, implement and control its processes for information security. Documented information must be retained to the extent to have confidence in the system. Organisations must control any planned changes to the management system and take action to mitigate unplanned changes. Outsourced processes must be determined and controlled.
In line with the processes described in Section 6, Information Security Risk Assessments must be conducted and be reviewed or updated where significant changes occur. The Risk Treatment Plan devised under Section 6 must be implemented.
9. Performance evaluation
ISO 27001 requires organisations to evaluate information security performance and the effectiveness of their Information Security Management System. The organisation decides what it is that will be monitored, measured, analysed and evaluated, but will be required to keep documented information of the results of monitoring and measuring.
Organisations must conduct internal audits on the Information Security Management System, and must plan, establish, implement and maintain an audit programme, taking account of the importance of the processes and the results of previous audits.
The management system must be reviewed taking account of various aspects including: changes in issues identified under section 4, trends in non-conformities, results of monitoring and measuring, audits and fulfilment of information security objectives, feedback from interested parties, results of risk assessment and status of the risk assessment plan, and opportunities for continual improvement.
10. Continual improvement
Arrangements must be developed and implemented to deal with non-conformities as they arise, including determining their causes, implementing the necessary actions needed, reviewing the effectiveness of corrective actions, and making changes to the Information Security Management System where required. These steps are commonly managed through a nonconformity and corrective action process.
ISO 27001 requires organisations to continually improve the suitability, adequacy and effectiveness of their Information Security Management System.
ISO 27001 FAQ’s
No. ISO 27001 is not a legal requirement, but may be a customer or contractual requirement. Many organisations require suppliers and service providers to be ISO 27001 certified.
It depends. If your customers require your organisation to be certified in order to award business, then certification is worthwhile.
Moreover, for organisations that are not required by their customers to be certified, there are still clear and tangible benefits in being certified, including: providing assurance to stakeholders that there is a system in place to preserve the confidentiality, integrity and availability of information and to give confidence to interested parties that information security risk is managed.
Consultancy costs can vary greatly between providers. Typically, you could expect the entire implementation costs for a consultant to cost in the range of €10k to €20k, depending on the size and complexity of an organisation.
Firstly, it is important to look at the title of the standard: Information technology — Security techniques — Information security management systems — Requirements. ISO 27001 is primarily a management system standard, however there are aspects of the standard that apply to IT and related areas.
It is important to note that the standard does not specifically focus on cyber security issues. Cybersecurity is given its own standard: ISO/IEC 27032:2012
Information technology — Security techniques — Guidelines for cybersecurity
This is dependent on the size and scope of the organisation and the information security management system. A small to medium sized enterprise may be audited over the course of 2 or 3 days. A larger organisation could take well over a week, or significantly more. Your certification body will advise you on this.