ISO 27001 Certification

ISO 27001:2005 is the International standard for Information Security Management. This standard is primarily meant for organizations which process, store and deal with information. The standard helps organizations to establish and effectively manage and Information Security Management System (ISMS). This standard was earlier known as BS7799.

The importance of ISO 27001:2005 certification is more pronounced for those organisations which deal with information particularly information belonging to the customer. Having an effective ISMS in place is very important for organisations so that they can secure their information assets.

Most companies that use Information Technology (IT) face threats like virus attacks, hacking, theft of information, misuse of data by employees. By implementing an ISMS organizations would be able to effective handle all such risks.

As per the latest statistics, the total number of ISO 27001:2005 certificates issued worldwide was 5,797 and the number of certificates issued in India was just 369.

Benefits of ISO 27001

By implementing an ISMS and getting certified for ISO 27001:2005,
an organization has the following benefits :-

1. It acts as an assurance to customers that their data would be kept safe and protected from loss or theft.

2. It helps the organization to identify possible risks related to information and also helps them to manage these risks effectively.

3. It helps organizations to protect all their assets including information.

4. It can be used as a marketing tool to gain new customers and also retain existing customers.

5. Getting certified would be an achievement as there are only a handful of organizations certified.

Certification process

The following are the stages involved in the certification process :-

• Risk Analysis : In this stage, a detailed review of the working of the organization would need to be carried out to identify the assets of the organization, threats and vulnerabilities. Based on this, the various risks can be identified.

• Risk Treatment : For each of the risks identified, a risk treatment plan (RTP) would need to be prepared explaining the action(s) to be taken to mitigate the identified risk.

• Preparing the Scope of Applicability : Based on the results of the risk analysis, the organization would need to identify the scope of applicability of the ISMS. This would be based on the ISO 27001 standard. The organization would need to select certain security controls (out of the total 130+ controls identified in the standard). The reasons for selection and exclusion need to be identified.

• Developing the ISMS : Based on the scope of applicability, the ISMS would need to be developed as per the requirements of the standard. This includes framing security policies, control objectives, procedures, records etc.

• Training : Staff in the organization need to be trained on the ISMS and its usage. Also, the information security officer/administrator needs to be comprehensively trained on usage of the ISMS.

• Maintaining, monitoring & measuring the ISMS : Once the ISMS is documented, it needs to be followed in practice. The implementation needs to be monitored and measured.

• Carrying out audits : Internal auditors would need to audit the ISMS to determine the extent of implementation and also to identify problem areas and actions to be taken. Management review would need to be carried out to review the effectiveness of the ISMS.

• Certification : On completion of internal audit, certification audit can be carried out by an accredited certifying agency.

For those interested to learn more about ISO 27001 through our distance learning courses, click here.

If you are an organisation interested in obtaining ISO 27001 certification, click here to contact us.