The International Standard for Information Security
What is ISO 27001?
Let’s take a different approach here. Let’s be brutally honest with you about it. But first the facts.
ISO 27001 is the international standard for Information Security. Often a requirement of clients that want to do business with you.
If you are here it is likely because a client has asked you to get it. You probably have no idea what it is and just want it taking care of as quickly and as cheaply as possible.
We specialise in helping you do it yourself or taking care of it for you.
ISO 27001 Truth Bombs
At the end of the day it is a certificate. A bit of paper that your clients are asking, demanding and expecting of you. It is a condition of doing business. If there is a commercial reason to do it, you will do it. If there isn’t, you won’t.
It won’t make you more secure. It can. But it likely won’t. It won’t stop you getting hacked. It can. But it likely won’t. But it will open doors to new business.
No one really wants to do it but they need it. They want it done quickly and cheaply. Here is the dilemma for you because quick isn’t cheap and cheap isn’t quick.
Our approach has been to give you choice. You can take the tools and guides and do it yourself, which will be cheap but take time. Or we can do it for you which will be quick but by no relative means cheap.
The best thing to do is to speak to us.
ISO 27001 FAQ
ISO 27001 is the name and designation given to the international standard for information security. It is an information security management system. It is a series of information security policies, information security documents, information security controls and processes for the management of information security. As a standard you can be assessed against it and a certificate can be issued to demonstrate that you meet the requirements of the standard.
There are two goals for the ISO 27001 standard. The first goal is to provide a bench mark and frame work against which businesses can operate for best practice of information security protection. The second goal is to be able to demonstrate through independent certification that business meets the requirements of the international standard for information security and there by provide assurance that the business is operating to a certain level.
ISO 27001 can provide a framework to satisfy aspects of GDPR, especially around principle 6 maintain adequate security. It does not make you GDPR compliant and it does not satisfy all of the requirements of the GDPR. Consider it as a complimentary standard and complimentary framework.
At the time of writing ISO/IEC 27001:2013 is the most current version of the standard and incorporates changes made in 2017.
The easiest way is to request a copy of their most up to date certificate and scope statement. You can check the date of the certificate to ensure that it is valid. The certificate will tell you the name of the certification body. You can then search the certification body website for a register of companies that they have certified.
In general no. It can be a requirement of a regulatory body or of a contract but it is not a legal requirement in the widest sense of law. Unlike the GDPR which is a law.
ISO 27001 is only mandatory if an industry regulator mandates it or a contract between you and a customer or supplier mandates it. It is a framework based on risk and as such even the controls within the standard are not mandatory.
The ISO 27001 standard and ISO 27001 certification apply to any business that wants to operate to it and demonstrate best practice for information security management. The number one reason we see a business adopt the ISO 27001 certification is for commercial gain and as a result of being asked for it by a customer on which a commercial contract rests.
Yes. ISO 27001 is a framework made up of policies, documents, controls and processes. It is a risk based framework with continual improvement at it’s heart. It requires top level, leadership commitment.