Information Security

ISO 27001 is an Information Security Management System which adopts a business risk approach. By this we mean that a large part of your documentation for the standard evolves assessing the risk to your business and the impact if such a risk is realised.

By using risk assessments you can clearly see which areas of your organisation are weaker than others and, in rare cases, identify requirements of the standard which are not feasible for you to implement.

Gaining ISO 27001 is more than just a process of creating documents. An overall culture of Information Security needs to be adopted by your organisation and all staff within it.

The standard contains an annex of Controls and Control Objectives. These are practical and procedural requirements to be implements in order to reduce the risks identified through risk assessment. All control objectives and controls must be functioning in the day to day running of your business, unless through risk assessment it can be shown that by implementing a control, it will have a detrimental effect on the business.

No management system will function correctly unless all those involved are fully aware of their responsibilities within it. Therefore it is important that training is provided for staff and that the system is fully communicated and available to all staff.

During ISO 27001 audits the auditors will be watching everything that happens on your premises. They will be thinking the almost impossible; therefore it is essential that you take time to consider all manors of possible security incidents when implementing the controls from the standard.