If you are looking for a certification body to assess your organisation for ISO 27001 compliance, it would seemlike common sense for you to ensure that they, themselves, have the necessary credentials to provide a credible assessment. Unfortunately, however, many organisations do not exercise sufficient care when selecting a certification partner. Many, mistakenly, assume that an organisation acting as a certification body must but qualified, somehow, to adopt that title. Sadly, this is not always true.
ISO 22301 is relevant to any business, no matter the size or industry sector. However, it is especially important for those organisations that operate within high risk environments such as utilities, financial services, oil and gas, transportation, telecom and food production, or where continued operation is vital, for example in the public sector.
Somebody just nipping out to lunch or to a meeting is business as usual in every office and may seem innocuous. However, this situation, which happens on a daily basis in every workplace, can pose a serious information risk to businesses. Without proper precautions, information and assets left at the desk by the employee can be accessed and taken by an unauthorised person.
What should I Include in my Information Security Policy, you say. The purpose of the information security policy, as required by ISO 27001, is often misunderstood, and it‘s quite common for inexperienced information security managers to think they need to detail everything about their information security management system in this one document.
So you’ve taken the plunge and decided to implement ISO 27001. If you’ve reviewed the standard, you’re now probably overwhelmed with the detail in clauses and controls and wondering what is the best way to go about applying the standard in your organisation. Generally speaking, there are three basic approaches to implementing ISO 27001:
Security compliance is challenging enough for big organisations. Small and medium-sized enterprises (SME), however, faceexactly the same security threats with smaller budgets and without specialist resources. In many SMEs there is a significant gap in understanding of the scale of the cyber threat that organisations face. In audits and security reviews carried out by Construct IS on SMEs, it is very common to find that there are no recorded security incidents.
ISO 27001 is a mature management system with a heritage dating back to 1999 in the BS 7799 data security standard. It was created to help you control the security of the information in your business. ISO 27001 is often mistakenly taken to be an IT Security Standard. Information Technology is a key focus area but it is not the whole picture.
Is information security risk well understood in the board-room? Despite a plethora of high-profile information security breaches, a large number of organisations’ management teams still have a poor grasp of their own susceptibility to a similar fate, according to leading security industry analysts.
Companies large and small are facing overwhelming combination of increasing cyber security threats and an ever increasing need to comply with a long list of laws, regulations and security standards. This problem is only compounded by a widening gap in the skills required to assess and manage the issues. Understanding how to lead the way in identifying and analysing security risks, creating strategic security plans, and ensuring compliance, requires a certain level of expertise.