ISO 27001 is an internationally recognised standard that offers a flexible approach to help establish best practice and raise awareness of the importance of information security within an organisation.
Most organisations have some policies and procedures in place for keeping information safe and complying with GDPR. Choosing a password, using secure communication channels or reporting potential data breaches are all likely to feature in staff induction and training.
ISO 27001 goes much further than this. It brings together all policies and practices together into a single, structured Management System.
Safeguarding information assets and personal data makes sound business sense but is also a legal and regulatory obligation. The Information Commission Office specifically mentions ISO 27001 certification as a consideration in establishing whether an organisation has taken ‘reasonable steps’ in protecting personal data under GDPR.
To gain ISO 27001 certification, organisations need to demonstrate that they have identified and assessed potential security risks to confidential information and data they hold. They also need to have taken steps to ensure such risks are mitigated and that security controls are fit-for-purpose within their particular contexts.
As a framework against which your Information Security Management System can be audited, ISO 27001 covers 14 areas, including physical and environmental security, asset management, and information security policies. Centre for Assessment offers audits to check that you are compliant against all the requirements of the Standard, providing certification for your organisation, initially valid for three years.
With increasingly sophisticated cyber-attacks and high-profile data leaks, no wonder the number of organisations achieving certification to ISO 27001 is growing exponentially.
An ISO 27001 audit is a must not only for businesses that are technology-rich or heavily reliant on digital data storage. It is also important for those organisations that hold sensitive information in any other format. Healthcare providers, educational establishments, local authorities, other public bodies, retailers and many others can use ISO 27001 to protect information, no matter its form. Compliance to the Standard is often a requirement to provide services in some sectors, making it extremely valuable.
Centre for Assessment is accredited by the United Kingdom Accreditation Service (UKAS) to provide certification to ISO 27001. As such, working with us is certain to give you a credible, rigorous and comprehensive audit against the framework.
Our experienced, expert team of auditors are located across the UK and beyond.
Although Centre for Assessment does not provide a consultancy service, we can put you in touch with our trusted, independent external associates who can support you in implementing your Information Security Management System before you are ready to move forward with your audit. Additionally, we do provide a pre-assessment service.
Many of the benefits of designing, implementing, monitoring and improving an Information Security Management System are common sense. Auditing your System to ensure it meets the requirements of the international framework – ISO 27001 – can have an extremely positive impact on your organisation.
Some of the reasons why you should arrange an audit include your potential ability to:
Following the Annex SL format, ISO 27001 can be integrated with other Management Systems, such as ISO 9001 (quality management) and/or ISO 14001 (environmental management). Centre for Assessment can provide audits against several frameworks as a combined project if your systems are integrated.
You may also be interested in gaining Cyber Essentials Plus to further enhance your management of information security. This is a Government-backed scheme which compliments your ISO 27001 certification.
Please get in touch to find out more about which option is right for your organisation.
Initial thoughts: Firstly, you need to establish that ISO 27001 is the right fit for your organisation and, if so, what the scope of certification will be. Centre for Assessment will be happy to help you make these decisions. If you already hold another ISO certification, such as 9001, it may be possible to complete a combined audit if your Management Systems are sufficiently integrated.
Preparation: You may choose to hire a consultant to help you design and implement your Information Security Management System. Centre for Assessment does not offer a consultancy service but can provide you with a list of our independent associates who would be happy to work with you. You could opt to use Centre for Assessment to provide a pre-assessment service. Alternatively, you may choose to move forward without seeking external support – it’s up to you.
Apply: Submit an application form via our website here
Quotation: Your application will be reviewed by a member of our Business Development team, who may need to call you to request further information before providing you with a no-obligation audit proposal.
Accept: Review the proposal sent by Centre for Assessment and, if you are happy, sign and return the document to us.
Make arrangements: You will be allocated a specialist, experienced auditor who will contact you to introduce themselves, discuss arrangements and book dates for your audit.
Audit Stage One: The Stage One audit will involve a review of the documents relating to your Information Security Management System. Stage One also explores your readiness to move on to Stage Two.
Audit Stage Two: The Stage Two audit looks at the effectiveness of your Management System.
Verification: Once the two stages are complete and any findings addressed, your auditor will recommend that Centre for Assessment awards you with ISO 27001 certification.
Certification: Following a technical review by a decision-maker, you will be issued a certificate that is valid for three years. You can advertise the fact that you are certified to the Standard and use the ISO 27001 logo on your website and elsewhere.
Annual Audit: At 12 and 24 months following your initial audit, review visits will be completed to ensure you are still compliant with ISO 27001. These will be arranged directly with your auditor.