What is information security and what is ISO 27001? Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. ISO 27001 is the international standard for information security and is regarded an internationally recognized best practice framework for an information security management system (ISMS). It helps you identify the risks to your important information and put in place the appropriate controls to help reduce the risk. So based on the context of your business/organisation and the stakeholders requirements, a risk assessment will guide you on the controls needed. The controls would either seek to prevent incidents, detect incidents or help recover from an incident.
The standard is an excellent framework for anyone who has information assets…and let’s face it who hasn’t these days.
You can use the framework to help you improve your business and you can use the framework to obtain external verification through ISO certification that can help create trust with your potential customers. Designing and implementing an ISMS will not only mean more business for your business, it will also provide you with a platform for protection of your most important assets as well as give you a system that will ensure business continuity should the security defences be compromised.
Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures, software and hardware. (Can you buy security? No, but you can use ISO 27001 to get closer!). These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met.
The typical approach to ISO 27001 is to begin by creating awareness in your organisation. This might be through workshops and presentations, but it is extremely important that everybody is aware and on-board with the project. The next step is to understand where you as an organisation are in terms of information security and what gaps you need to close for a complete ISO 27001 implementation. Now you are ready to start the project including budget, risk assessment, risk treatment plan, defining controls, write documentation, train employees, run the system, perform audits and then finish with an external certification audits (ISO 27001 Implementation Checklist)
Do you have smiling employees, or are surrounded by colleagues that smile? Perhaps not the first thing that you would think of as a benefit of ISO 27001. However if you design and implement a great information Security Management System with a process focus then you will also see internal business gains such as better efficiency and higher productivity. Hence, less stress for your employees and more interesting and engaging work = smiling employees.
This is, however, often not why organisations decide to implement ISO 27001. Typically, they start because they have external customer requirements. Recent research from 451 Research shows that the hosting and cloud market is growing significantly but customers are increasingly looking for evidence of Security and Compliance. Likewise, bids and tenders now often require products and services to be accredited with the ISO 27001 certification.
As you can properly imagine ISO 27001 certification projects can vary tremendously in both time and cost. It all depends on the existing maturity of the organisation as well as the complexity of the organisation and how many gaps you need to close before you are ready for certification. I have seen projects that took 3-4 months but a typical project will take somewhere between 9 months and a year. Likewise, cost is even more difficult to establish upfront as this will also depend on the maturity and gaps. In addition, cost will also depend on size of the organisation, the risk assessment, the level of protection you need, technology, legislation, etc. The important thing to note is that the foundation is the risk assessment. There is no point investing too much in something that is either not a significant risk or has a high criticality to your business. The typical cost are project management, external consulting, technology, training, employee time and certification. (What does ISO 27001 certification cost…and what does it cost if you don’t?).
However, if done correctly, this investment will pay dividends in a better run business with more customers and less incidents and downtime (and perhaps employees that smile?).
The cost of not focusing on Information Security can be significant and there are plenty of research to support this (TalkTalk cyber attack will cost company up to £35m).
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So if you are considering ISO 27001 call us now to discuss how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.