Due to the wide-ranging nature of data storage and protection, you will need to involve all levels of management and all areas of your organisation to implement and maintain an effective information security management system (ISMS). Information security is as much about people as technology. To achieve accreditation you will need to create an internal information security forum and engage the services of an external consultant or technical expert to provide guidance and support through the implementation and certification process. You will then need to appoint an accredited certification body to conduct an independent assessment of your information security management system. ACS Registrars have been audited and accredited by UKAS to provide certification for ISO 27001. Your organisation, your customers and partners will feel confident that your ISMS has been competently audited to the requirements of the International standard. Contact us to find out more.
ISO 27001 controls
To implement a robust and workable system you will need to consider the following:
- Define the scope of the system
- Define your information security policy
- Establish the security objectives of the business
- Perform an information security risk assessment
- Formulate a risk treatment plan
- Select the most suitable control methods
- Establish policies and procedures
- Implement internal review and internal audits
- Monitor the performance of controls to identify opportunities for improvement.
Certification audit
When you are satisfied that your documentation and processes are in place, you are then ready for your first audit. The auditor will review your documentation and make sure that procedures are being followed throughout the organisation. If there are any areas that need to be rectified, these will have to be done before your ISO 27001 certificate is issued.