ISO 27001 is the internationally recognised standard for Information Security which is published by the International Organization for Standardization (ISO). The standard provides the frame work for an effective Information Security Management System (ISMS). It sets out the policies and procedures needed to protect orgnisations and includes all the risk controls (legal, physical and technical) necessary for robust IT security management.

ISO 27001 is designed to cover much more than just IT. An important part of the standard concerns data security across all areas of a business; whether it is online or offline. The standard is suitable for businesses of all sizes from start ups to larger organisations.

ISO/IEC 27001:2017 includes elements to ensure the following:

  • Security requirements and objectives are properly formulated
  • Security risks are managed in a cost efficient way
  • Compliance with laws and regulations
  • A proper framework for the implementation and management of controls to ensure the security objectives of the organization are met
  • Compliance with the policies, directives and standards of the organization
  • Information security for customers

How does the certification process work?

System audits in the certification process are a means to measure if the information security management system meets the requirements of ISO/IEC 27001:2017. The main purpose of the system audits is to identify potential improvements.

The certification process consists of two phases:

  • Phase 1 normally consists of a visit to the business in order to review the status of the organization, system documentation, infrastructure, etc. In particular the organization’s Statement of Applicability (SOA) will be verified.
  • Phase 2 is the certification audit verifying that the system of documentation meets the requirements of ISO/IEC 27001:2017. The certification audit will give feedback to the organization on issues that are not in conformance with the standard and that needs to be corrected before a certificate can be issued.

The certificate will be valid for 3 years after being granted. During this period, annual surveillance audits will be conducted.

Benefits of Certification

  • Customer satisfaction – by giving confidence that their personal information is protected and confidentiality upheld
  • Business continuity – through management of risk, legal compliance and vigilance of future security issues and concerns
  • Legal compliance – by understanding how statutory and regulatory requirements impact the organization and its customers
  • improved risk management – through a systematic framework for ensuring customer records, financial information and intellectual property are protected from loss, theft and damage
  • Proven business credentials – through independent verification against recognized standards
  • Ability to in win more business – particularly where procurement specifications require certification as a condition to supply

Information Security Management System Certification

For more information please click