ISO 27001 Certification

The ISO 27001 (ISO/IEC 27001:2005) International Standard is the most renowned information security standard in the world. It has been developed by information security experts from all over the world and is now considered to be the international state of the art. Over 6,000 organisations worldwide have already achieved certification to ISO 27001 and the numbers are rising by over 1,000 a year.

The ISO 27001 standard provides best practice guidance on designing, implementing and maintaining an Information Security Management System (ISMS) to protect the confidentiality, integrity and availability of information assets. A second standard, ISO 27002, contains a list of best practice information security controls which could be used in the ISMS. However, organisations can only be certified to ISO 27001. There is no certification for ISO 27002.

ISO 27001 has been designed for organisations of all types and sizes. It is just as relevant in a 10 person organisation as a 10,000 person organisation. The scope of an organisation’s ISO 27001 certification can be as broad or as narrow as required. It can target the entire organisation, a single business process, a single technical system or a single physical location.

Jake Smith Consulting has advised a variety of clients on the development and implementation of their ISMS. These clients have ranged from SME’s to International enterprises, so we can readily tailor an ISMS to your needs. We have guided our clients through the often confusing maze of ISO 27001 certification to ensure that they acquire not only the certificate but an efficient, functional and maintainable ISMS that adds value to the business in its own right.

The ISO/IEC 27001 standard is closely aligned with other management system standards, including:

• the ISO 9001 standard (Quality Management);
• the ISO 14001 standard (Environmental Management); and
• the OHSAS 18001 standard (OH&S Management).

Organisations who are already aligned to one of these standards (or are working towards that goal) are already well on the way towards ISO 27001 compliance and certification. We simply modify the existing management system to satisfy the requirements of ISO 27001.

ISO 27001 adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's Information Security Management System. The ISO 27001 process approach emphasises the importance of:

• understanding the organisation's information security requirements (what the key information assets are, how critical they are, how sensitive they are);
• establishing policies and objectives for information security;
• using a risk based approach to determine the most effective information security controls for the organisation;
• implementing and operating those controls;
• regularly monitoring and reviewing the performance and effectiveness of the Information Security Management System; and
• continual improvement based on objective measurements.

The ISO 27001 process approach is cyclical and based on the same Plan - Do - Check - Act principal common to ISO's other management system standards.

The following links provide more information about ISO 27001.

• The development of ISO 27001 and other standards in the ISO 27000 range.
• Background guide to information security, ISO 27001 and the ISMS implementation process.
• More information on ISO 27001, together with some white papers, books and implementation guidance.
• White paper on integrating the processes common to both ISO 9001 and ISO 27001.
• A-Z Guide for ISO 27001 and ISO17799 / ISO27002.
• The ISO 17799 Directory.
• ISO 27001 business and technical portal.