Information Technology Management System (ISO 27001)

ISO 27001 is the international standard for Information Security Management Systems (ISMS) based largely upon the previously adopted BS 7799 used commonly since 1995 for managing information security.  ISO 27001 provides the framework for a technology neutral, vendor-neutral management system that enables an organization to assure itself that its information security measures are effective. This includes the continued accessibility, confidentiality and integrity of its own information and that of its stakeholders as well as legal compliance.

 Implementation of ISO 27001 is an ideal response to legal requirements and potential security threats such as:

  • Vandalism / terrorism
  • Fire
  • Misuse
  • Theft
  • Viral attack.

 ISO 27001 is structured to be easily compatible with other management systems standards such as ISO 9001 and ISO 14001. Whilst there are some clause numbering differences, common elements include documentation, review and audit requirements, enabling an organization to develop a largely integrated management system.

What are the benefits?

  • Customer satisfaction – by giving confidence that their personal information is protected and confidentiality upheld.
  • Business continuity – through management of risk, legal compliance and vigilance of future security issues and concerns
  • Legal compliance – by understanding how statutory and regulatory requirements impact the organization and its customers
  • Improved risk management – through a systematic framework for ensuring customer records, financial information and intellectual property are protected from loss, theft and damage
  • Proven business credentials – through independent verification against recognized standards
  • Ability to win more business – particularly where procurement specifications require certification as a condition to supply.

How to achieve certification?

 Following steps are to be followed to implement ISMS:

  1. Top Management’s Commitment
  2. Selection of Capable Consultant
  3. Information Security Risk Assessment
  4. Documentation
  5. Implementation
  6. Training
  7. Internal Audit
  8. Selection of Certification Agency
  9. Certification Audit

Initial Certification Audit

The assessment process for achieving certification consists of a two stage Initial Certification Audit as follows:

 Stage 1 – the purpose of this visit is to confirm the readiness of the organization for full assessment.

The assessor will:

  • Confirm that the management system manual conforms to the requirements of ISO 27001.
  • Confirm its implementation status
  • Confirm the scope of certification
  • Check legislative compliance
  • Produce a report that identifies any non-compliance or potential for non-compliance and agree a corrective action plan if required
  • Produce an assessment plan and confirm a date for the Stage 2 assessment visit.

 Stage 2 – the purpose of this visit is to confirm that the quality management system fully conforms to the requirements of ISO 27000:2005 in practice.

The assessor will:

  • Undertake sample audits of the processes and activities defined in the scope of assessment
  • Document how the system complies with the standard
  • Report any non-compliances or potential for non-compliance
  • Produce a surveillance plan and confirm a date for the first surveillance visit.

If the assessor identifies any non-conformance, the organization cannot be proceeds until corrective action is taken and verified.

For more information about this service, contact our friendly team today. We will be pleased to help you.

contact us or email us at mkt@meqmp.net