Is 2016 going to be the year where you achieve ISO 27001 certification?
It might have been something you have been considering for some time now. Not a day goes by without the media reporting of some sort of information security breach (Hyatt or Talk Talk or AshleyMadison just to mention a few)
More and more of your customers are either asking directly for ISO 27001 certification or they are asking for you to explain (in great length) how you control certain aspects of information security.
You have read or heard about the new EU legislation (General Data Protection Regulation) that is coming into effect in 2018 with massive potential fines if you are not able to protect and react appropriately.
You might also have been thinking that formalising a lot of the controls you already have in place would be good as it would help provide a solid platform from which you can both grow the business as well as ensure the business keeps improving.
Whatever the reason 2016 is the year to get started with ISO 27001…but where to start?
Well unless you have a lot of spare time on your hands I would suggest you solicit some expert help. Too many times I see systems that have been wrongly designed…hey if you need a filling done in a tooth you would not try to do it yourself would you? To design, build and implement a management system that complies with the ISO 27001 standard takes both time and specialist knowledge, but if you engage an expert to help you then the system could be up and running in a matter of weeks rather than months (significantly less than if you start building the system yourself from scratch), and if the consultant knows his stuff then certification is guaranteed.
Will I have to tie down my business in a lot of unnecessary security controls and policies? The answer is no if you have engaged someone who knows what they are doing. They would ensure that an appropriate risk assessment framework (process and software tool) will be installed and that all your information security decisions will be based on a thorough risk assessment that reflects your risk appetite as well as your stakeholders risk appetite.
So now the management system has been created and are up and running. Next step is to run an effective internal audit programme. The purpose of the audit programme is to make sure, that the Information Security Management System (ISMS) conforms to your own requirements as well as the requirements of the standard and to check that it is working effectively. If you have a good audit programme, you should get lots of improvements. If you don’t get lots of improvement, you should review your audit programme. Many organisations chose to outsource the audit function to an external consultant allowing employees to focus on the core business. By outsourcing you also get the added benefit of having a complete fresh set of eyes doing the auditing.
Finally find a really good certification body which can offer highly experienced assessors and hence would be able to assess your system as well as provide value by suggesting observations and areas for improvement.
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So if you are considering ISO 27001 call us now to discuss how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.