ISO27001 – The Information Security Management Standard

ISO27001 is the internationally recognised standard for information security. It indicates that an organisation’s Information Security Management System (ISMS) meets the requirements laid down by the International Organization for Standardization (ISO). ISO27001 is one of the fastest growing management standards.

An Information Security Management System is a system that documents your organisation’s policies, processes and procedures relating to information security.

ISO27001 covers the processes and procedures that need to be implemented to ensure that information security is effective managed. This includes an assessment of the risks that your business faces and identifying controls to manage risks and help prevent unwelcome surprises.

While this may sound like a technical piece of work that should sit with IT, it covers all aspects of the organisation including HR, education and training.

Cyberattacks are one of the biggest risks facing businesses. ISO27001 helps to protect your business against the devastating effects of cybercrime and legal non-compliance.Mindful that not all attacks originate outside of the business, it provides a framework to ensure that your staff and subcontractors are trained and supported to deliver their roles safely and securely.

Achieving ISO27001 signals to potential clients that you recognise the dangers and have taken stringent measures to protect your business (and their valuable data).

Many organisations find that ISO27001 is a cost-effective way to preserve the integrity and availability of their systems and data, maintain confidentiality and protect their reputations. It’s also increasingly required as part of supply chain questionnaires as clients seek reassurance that you are not a risk to their business. 

While it is often thought that ISO27001 is only relevant to larger SMEs and corporates, size actually doesn’t matter! The standard is designed to protect systems and win new business from clients who have concerns about data security.

Our smallest client has just four employees and has been successfully running with this standard for two years.

ISO27001 remains one of the most popular standards across all sectors. There’s no sign of this changing with the recent extension which focuses on data privacy (ISO27701).

With the rise in cyber threats, a number of smaller businesses choose to have ISO27001 certification as a standalone certification in order to demonstrate to their clients that they take information security seriously.

ISO27001 enables growing businesses to protect themselves from the disruption, costs and reputational damage caused by successful cyberattacks.

ISO27001 uses a structure called Annex SL, as does ISO9001 (the Quality Management Standard) and ISO45001 (the Health & Safety Standard). This means that you can integrate your management system, which will save you time and money. Find out more in our case study on our own ISO27001 compliant integrated management system.

The cost of ISO27001 pales into insignificance when you think of the disruption a successful cyberattack can cause, not to mention the costs of restoring your network (or even paying a ransom). We base our costs on the size and complexity of your business and how much time you are able to commit to achieving certification. Please contact us to find out which of our solutions is right for you and to discuss our flexible payment terms.

The last major update was in 2013, followed by a minor update in 2017. As cyber risks continually evolve, we expect this standard to be reviewed regularly. 

When new versions of a standard are released, existing holders normally have three years to transition. We always let our clients know about new versions so we can help them manage the transition process. Sign up for our newsletter (see the footer) to receive the latest ISO news.

You need to prepare your management systems to the ISO27001 standard and have them audited by a third party. We’ll help you understand what’s required and take manageable steps to achieve compliance. Find out more about our four-step ISO certification process.

Whether you have an in-house IT team or outsource, we’ll create a step-by-step plan which strengthens your security and helps you achieve compliance more quickly. We’ll also share our own experience of being ISO27001 certified as well as lessons learned from other businesses that we’ve helped through the certification process. We’ll even provide support at your external certification audit to ensure you represent your business in its best light.

Don’t worry if you’re not an IT expert yourself, we believe in jargon-free communication at all times!

After you’ve passed your external audit, you’ll automatically be sent an ISO27001 certificate and a logo. We ask that you allow two weeks for these to arrive. You’ll also receive a copy of our Promotion Power Pack, which will help your marketing team promote your ISO certification on your website, social media and collateral. This ensures that both existing and new clients understand what your certification offers them.

There are a number of standards that have adopted a standard framework called Annex SL. These ‘plug’ together, giving them a common look and feel.

ISO27001 can easily be integrated with ISO9001 (Quality), ISO14001 (Environmental) and ISO45001 (Health & Safety), as well as others. The standards which use Annex SL are designed to work together as an Integrated Management System, saving you time and money.

There is also an extension to ISO27001 which helps organisations to achieve compliance with the GDPR. The ISO27701 Privacy Information Management Standard (PIMS) was released in 2019 and we were one of the first companies in the UK to achieve certification. Find out how what our ISO27001 and ISO27701 certifications mean to our clients.  

After you have been certified, you will be externally audited every year. In the first two years, you will receive a ‘surveillance’ audit which looks at parts of the management system. This confirms that the management system is still operational and working. In the third year, there is a full audit of the management system which usually takes longer to complete than the surveillance audits.

To ensure you are fully prepared for your annual external audit, we can support you throughout the year with internal audits and management reviews. We can also provide telephone and email support via Compliance as a Service. This is a fixed fee service which includes support for our most popular ISO standards, GDPR and Cyber Essentials.