The ISO 27001 certification is fast becoming a standard requirement for organisations looking to work with customers that have rigid or strict cyber security requirements such as financial, government or medical, as well as demonstrating excellence in information security.

Unlike the Cyber Essentials scheme, ISO 27001 is more rigourous in terms of the depth of controls, policy requirements and the evidence to demonstrate compliance.  Where Cyber Essentials is focussed almost entirely on devices with Internet access, ISO 27001 concerns itself with all aspects of information security, whether this be physical, digital, hosted locally or by third parties.

How does it work?

Typically the process starts by determining the scope of your organisation that is to be included in your ISMS and subject to the ISO 27001 standard, it is preferable to cover the entire organisation but in some cases this is simply not practical.

The next stage is to determine what information assets are within the scope defined, these can be everything from the customer data to website logs, employee ID tags to shipping manifests.

Once a list if information assets has been created, it’s possible to evaluate the threats to these assets in a risk register.

Once the risks have been identifed, the risks must be mitigated to an acceptable level via controls which are defined in a risk treatment plan, which in turn identifies which ISO 27001 controls are required (these are recorded in a statement of applicability).

If your organisation already has security controls in place, a gap analysis can help determine which security controls are already in place and which still need to be implemented.

Security controls are defined and implemented via company policies and procedures, these should be authored in a way that is aligned to the standard for easier audting and reference in the future.

Lastly, the ISMS, it’s policies and supporting documentation are audting by a third party to ensure compliance with the standard and ISO 27001 certification is given.

Certification Roadmap

  • Determine Scope

    Outline whether your entire organisation or simply a portion of it should be considered within the scope of the certification

  • Identify Assets

    Identifying all information assets of the organisation that are within scope.

  • Create Risk Register

    Identify any threats the confidentiality, integrity or availability of information assets.

  • Create Risk Treatment Plan

    Once the threats to the information assets have been identified, a risk treatment plan must be created to mitigate threats to an acceptable level of residual risk.

  • Gap Analysis

    A gap analysis identifies which risk treatments via ISO 27001 controls are already in place and which need to be implemented.

  • Policy & Procedure Development

    Policies and procedures provide the mechanism defining what controls should be implemented, how they are implemented and how they are evidenced.

  • ISO 27001 Audit

    The finaly stage of the process is the ISO 27001 audit, conducted by a third party with your staff.  Seguro can assist in this process or it can be handled completely independantly.