ISO 27001 is a framework for an Information Security Management System (ISMS) to address the management of information risks. Annex A of the 27001 specification documents specific information security controls, which ISO/IEC 27002 further expands upon.
These information security controls protect the confidentiality, integrity, and availability of information with risk management as the primary driver of the control objectives.
The standard is structured logically around 14 security control families, 35 control objectives, and more than 114 individual controls.
The certification can be achieved by following Information Security Management System (ISMS) guideline and completing an official audit. While not mandatory, there are many benefits to getting ISO 27001 certified. For example, it can supplement other compliances and standards like HIPAA, PCI DSS, FFIEC, FISMA etc. Getting an ISO certification can also increase your business reputation as ISO standards are highly respected. Finally, ISMS has some great information security best practices that are valuable for business continuity and growth.
For many organisations, certification to ISO 27001 can be a nerve-racking experience, with concerns about the audit process, what will and could happen, and the need to gain successful certification for commercial or personal reasons. The process is straightforward, and we can assist with any or all the steps to a successful accreditation to ISO 27001.
This schematic shows how the certification process works, with the red titles showing the certification body input. The gap between a Stage 1 and Stage 2 audit will normally be between 2 and 6 months, which allows plenty of time to ensure that all the controls have been implemented and effectively audited; to check that your management understand and apply their leadership and commitment; and to ensure that all staff have the relevant awareness and competency.
A risk management strategy provides a structured and coherent approach to identifying, assessing and managing risk or uncertainties followed up by minimizing, monitoring and controlling the impact of risk realities or enhancing the opportunity potential by applying coordinated and economical resources.
Our experts partner with clients on corporate planning, providing perspective not only on immediate value and impact, but on long-term implications. We work closely with management and other advisers to leverage and complement their knowledge and ensure maximum impact, and actively support implementation and skill building.