ISO 27001

ISO 27001 is an internationally recognised standard that offers a flexible approach to help establish best practice and raise awareness of the importance of information security within an organisation.

 

Information Security Management System

Most organisations have some policies and procedures in place for keeping information safe and complying with GDPR. Choosing a password, using secure communication channels or reporting potential data breaches are all likely to feature in staff induction and training.

ISO 27001 goes much further than this. It brings together all policies and practices together into a single, structured Management System.

Introduction

Safeguarding information assets and personal data makes sound business sense but is also a legal and regulatory obligation. The Information Commission Office specifically mentions ISO 27001 certification as a consideration in establishing whether an organisation has taken ‘reasonable steps’ in protecting personal data under GDPR.

To gain ISO 27001 certification, organisations need to demonstrate that they have identified and assessed potential security risks to confidential information and data they hold. They also need to have taken steps to ensure such risks are mitigated and that security controls are fit-for-purpose within their particular contexts.

As a framework against which your Information Security Management System can be audited, ISO 27001 covers 14 areas, including physical and environmental security, asset management, and information security policies. Centre for Assessment offers audits to check that you are compliant against all the requirements of the Standard, providing certification for your organisation, initially valid for three years.

Who is this for?

With increasingly sophisticated cyber-attacks and high-profile data leaks, no wonder the number of organisations achieving certification to ISO 27001 is growing exponentially.

An ISO 27001 audit is a must not only for businesses that are technology-rich or heavily reliant on digital data storage. It is also important for those organisations that hold sensitive information in any other format. Healthcare providers, educational establishments, local authorities, other public bodies, retailers and many others can use ISO 27001 to protect information, no matter its form. Compliance to the Standard is often a requirement to provide services in some sectors, making it extremely valuable.

How we can help

Centre for Assessment is accredited by the United Kingdom Accreditation Service (UKAS) to provide certification to ISO 27001. As such, working with us is certain to give you a credible, rigorous and comprehensive audit against the framework.

Our experienced, expert team of auditors are located across the UK and beyond.

Although Centre for Assessment does not provide a consultancy service, we can put you in touch with our trusted, independent external associates who can support you in implementing your Information Security Management System before you are ready to move forward with your audit. Additionally, we do provide a pre-assessment service.

Features and benefits

Many of the benefits of designing, implementing, monitoring and improving an Information Security Management System are common sense. Auditing your System to ensure it meets the requirements of the international framework – ISO 27001 – can have an extremely positive impact on your organisation.

Some of the reasons why you should arrange an audit include your potential ability to:

  • improve the culture of security in your organisation;
  • demonstrate your credibility to stakeholders inside and outside your organisation;
  • increase confidence that the information you hold is protected;
  • review and improve the strength of your security measures;
  • give your customers/service users reassurance that their data is safe;
  • reduce costs associated with data breaches and other financial implications of information mismanagement;
  • manage risks to business continuity;
  • fulfil requirements for tenders and other contracts;
  • increase business capacity and growth ambitions;
  • comply with international legal obligations and regulations, including GDPR;
  • provide a competitive advantage for your company.
Related services

Following the Annex SL format, ISO 27001 can be integrated with other Management Systems, such as ISO 9001 (quality management) and/or ISO 14001 (environmental management). Centre for Assessment can provide audits against several frameworks as a combined project if your systems are integrated.

You may also be interested in gaining Cyber Essentials Plus to further enhance your management of information security. This is a Government-backed scheme which compliments your ISO 27001 certification.

Please get in touch to find out more about which option is right for your organisation.

Find out more:

Business Benefits

  • Helps manage security of data in physical and electronic forms.
  • Reduces cyber security risks.
  • Increases awareness of potential risks and threats and builds a culture of security.
  • Demonstrates credibility and trust, instilling confidence in customers and stakeholders and enhancing company reputation.
  • Increases competitive edge by meeting or exceeding contractual requirements.
  • Continually improves processes and procedures reducing costs and errors.
  • Achieves operational excellence, increasing productivity and profit.
  • Enhances customer satisfaction and improves client retention.
  • Achieves governance and business continuity requirements.
  • Supports regulatory and legal compliance.

Certification Process

Initial thoughts: Firstly, you need to establish that ISO 27001 is the right fit for your organisation and, if so, what the scope of certification will be. Centre for Assessment will be happy to help you make these decisions. If you already hold another ISO certification, such as 9001, it may be possible to complete a combined audit if your Management Systems are sufficiently integrated.

Preparation: You may choose to hire a consultant to help you design and implement your Information Security Management System. Centre for Assessment does not offer a consultancy service but can provide you with a list of our independent associates who would be happy to work with you. You could opt to use Centre for Assessment to provide a pre-assessment service. Alternatively, you may choose to move forward without seeking external support – it’s up to you.

Apply: Submit an application form via our website here

Quotation: Your application will be reviewed by a member of our Business Development team, who may need to call you to request further information before providing you with a no-obligation audit proposal.

Accept: Review the proposal sent by Centre for Assessment and, if you are happy, sign and return the document to us.

Make arrangements: You will be allocated a specialist, experienced auditor who will contact you to introduce themselves, discuss arrangements and book dates for your audit.

Audit Stage One: The Stage One audit will involve a review of the documents relating to your Information Security Management System. Stage One also explores your readiness to move on to Stage Two.

Audit Stage Two: The Stage Two audit looks at the effectiveness of your Management System.


Verification: Once the two stages are complete and any findings addressed, your auditor will recommend that Centre for Assessment awards you with ISO 27001 certification.


Certification: Following a technical review by a decision-maker, you will be issued a certificate that is valid for three years. You can advertise the fact that you are certified to the Standard and use the ISO 27001 logo on your website and elsewhere.


Annual Audit: At 12 and 24 months following your initial audit, review visits will be completed to ensure you are still compliant with ISO 27001. These will be arranged directly with your auditor.

Certification Support

  • Personalised service from the Centre for Assessment sales and operations team.

  • Bespoke in-house training and workshops are available, such as internal auditor training.

  • Open training courses can be booked online.

  • A Gap Analysis is an optional service which allows one of our expert assessors to enter your organisation prior to the formal assessment to identify any gaps in your management system. This can be a valuable and important part of planning for achieving certification.
News
Related Services
Cyber Essentials
Accreditation is suitable for all companies in any sector who handle client information and have a desire to increase their IT infrastructure security throughout their business.
ISO 9001 - Quality Management
ISO 9001 is the international Standard for Quality Management, helping organisations provide products and services that meet or exceed customer expectations. With over one million certified organisations worldwide, ISO 9001 is one of the most popular business improvement tools available.
Lexcel
Lexcel is the Law Society’s practice management standard specifically designed to promote excellence within law practices. A Lexcel accreditation provides a flexible, supportive management framework to help practices and in-house legal departments improve operations and manage risk effectively.