ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS), which defines best practice to help companies of all sizes, in any industry and virtually any country, systematically secure their confidential and business critical data.
Each standard is created by a technical committee made up of subject matter experts, including industry representatives, research organisations, government departments and consumers. The outcome is a set of detailed criteria, definitions, and guidelines that provides a comprehensive framework to help organisations implement a coordinated approach to information security.
ISO/IEC 27001 Information Security Management
WHAT IS AN INFORMATION SECURITY MANAGEMENT SYSTEM?
Implementing a robust ISMS is a proactive and systematic approach to managing risk and securing confidential and commercially sensitive information to protecting it from potential cyber-attacks and data breaches.
Introducing controls across people (education and training), process (policies and procedures) and technology (systems and software), an ISMS enables organisations to effectively manage and mitigate risk; safeguard information assets; maintain data integrity and confidentiality; and ensure legal and regulatory compliance.
Peace of mind:
Certification ensures confidential data is secure, which may include financial records, intellectual property, personal data, and other commercially sensitive information, as well as employee and customer records.
Globally recognised:
With more than 165 member countries, ISO/IEC 27001 certification sets a benchmark for best practice and is recognised all around the world, quickly and easily demonstrating your organisation’s commitment to information security.
Compliance:
Enhances your company’s brand and builds trust and confidence. Certification reassures existing or potential customers and stakeholders that you are committed to industry best practice and continual improvement.
Enhances reputation:
Certification builds trust and confidence in your company and reassures existing or potential customers and stakeholders that you are committed to safeguarding data.
Competitive advantage:
Certification can increase commercial opportunities and enable your company win additional business and new customers from competitors who are not certified, or where certification is mandated for suppliers.
Security awareness and business continuity:
ISO/IEC 27001 certification promotes far greater information security awareness amongst staff and a culture of security throughout the business, which means greater vigilance. By reducing the number of incidents disruption to day-to-day operations is minimised.
Cost savings and efficiencies:
The cost of implementing ISO/IEC 27001 is likely to be minimal when compared to the potential financial impact of a breach. Business operations are also streamlined as policies and procedures are clearly defined and documented.
Futureproofing:
The framework helps your business to continually review potential risks and weaknesses and implement appropriate controls that improve the way you manage your organisation’s information security.
WHAT ARE THE BENEFITS?
Complete the form below and request a short consultation to discuss how we can help your business to get certified.
ISO 27001 CERTIFICATION PROCEDURE
Implementation includes full gap analysis & review alongside regulatory compliance & industry standards. We assist with development of policies & processes and staff training.
Implement your ISO Management System
We will assist with internal audits and actively support you during the stage 1 and stage 2 certification audits.
Certification
Audit
Post certification we will help you to successfully maintain your certifications. With internal audits, management reviews, compliance for surveillance audits and re-certification.
Ongoing
Support
We establish the size & scope of the project by working with you to understand your overall business needs, your expectations and how implementing the ISO standard can help you. We also take a look at your existing certifications to identify opportunities to integrate management systems & lower your total cost of ownership.
Initial
Review
Fortis simulates the certification audit and performs a full review of your company’s scope, policies, processes, and procedures. Then reviews and remediates any gaps before your official UKAS certification body audit.
Pre-Assessment
You are now a certified business!
Congratulations!
UKAS ISO Certification Achieved and Formally Awarded for Certification
The breadth of the Fortis service portfolio enables us to offer a variety of information security and risk management solutions to help our clients achieve the information security compliance standard they need to operate with confidence.
From a simple one-off gap analysis against the ISO/IEC 27001 standard, through to complex multi-standard integrated management systems, Fortis offers comprehensive certification services that can be tailored to suit your organisation’s specific requirements.
Fortis can continue to work with your organisation beyond certification via the Fortis Stay Certified Service (SCS) which supports the ongoing maintenance and assurance of your ISMS and ensures that your certification is retained during annual surveillance and re-certification cycles.
LEVELS OF SERVICE
IS THERE A SIMPLER ROUTE?
Cyber Essentials
Cyber Essentials Plus
IASME Cyber Assurance
ISO/IEC 27001
Achieving ISO/IEC 27001 certification is a rigorous process and depending on the type and size of the business and amount of data processed, there may be a different cyber security standard that is better aligned to your organisation’s needs.
The highly experienced team at Fortis can advise which is the most appropriate certification to provide the right level of assurance for your business.
SPECIFICS OF ISO/IEC 27001 CERTIFICATION
Context
Understanding your organisation and its context
Assessing the needs and expectations of stakeholders
Determining the scope of your ISMS
Leadership
Establishing and communicating an information security policy and setting objectives
Ensuring roles and responsibilities are correctly assigned
Demonstrating leadership and commitment to your organisation’s ISMS
Planning
Carrying out an information security risk assessment process
Reviewing risks and opportunities that need to be addressed in order to effectively implement, manage, and improve your organisation’s ISMS
Setting measurable and consistent information security objectives, alongside comprehensive plans on how to achieve them
Support
Reviewing the resources and competencies needed to effectively implement, manage, and improve your organisation’s ISMS
Plugging skills gaps and/or providing training where required
Ensuring awareness and communication relating to the information security policy, objectives, and ISMS
Creating, controlling, and updating documented information relating to the ISMS
Operation
Planning, implementing, and controlling the processes needed to meet the outcomes of the information security risk assessment
Implementing plans to achieve the organisation’s information security objectives
Conducting regular information security risk assessments, remediating identified risks, and documenting all results
Performance evaluation
Monitoring, measuring, analysing, and evaluating the effectiveness of your organisation’s ISMS
Conducting internal audits at planned intervals to ensure the ISMS conforms the organisation’s own requirements and those of the International Standard
Carrying out a regular management review of your ISMS to determine its continuing suitability, adequacy, and effectiveness
Improvement
Identifying nonconformities and any associated corrective actions
Continually improving the suitability, adequacy, and effectiveness of your organisation’s ISMS
The information security controls to which your organisation needs to be compliant to achieve certification are broken down into the following four key areas:
Organisational controls e.g policies, roles and responsibilities, threat intelligence, access rights, identity management
People controls e.g. screening, remote working, employment terms and conditions, confidentiality
Physical controls e.g securing offices, storage media, security of assets off-premises, equipment maintenance
Technological controls e.g. configuration management, malware protection, network security, secure authentication
