Key Things You Should Know About ISO 27001

18 Jul

Table of Contents

It is the International Standard for Information Security Management. Effectively, it provides any organisation, irrespective of size or sector, with a framework and an approach to protecting one of the most important assets, i.e., information.  ISO 27001 is one of the most commonly adopted international standards and one of the fastest growing.

It is a business standard (not an IT standard) that touches every part of the organisation involved in processing information.   Yes, IT security (e.g., firewalls, anti-virus, change management etc.) is important and has a significant part to play, but it is equally about other areas of the business.  In HR, do you appropriately check your staff and not just when they join?  In Facilities, do you manage access to your premises, and can visitors wander around unchallenged?  What security policies do you have, where are they, how do you communicate them?  And it´s not just about focusing internally.  It´s important to remember, you are only as good as your third parties; so how do you communicate your requirements with them and ensure they have the appropriate controls in place?

  • It’s based on the principle of continuous improvement
    You may not be where you want to be on day one, but you are continuously reviewing and improving your position.
  • The actual Standard comprises 2 parts
    These being the mandatory management system sections, common to all Standards, that you have to do, (e.g., gain top management commitment, manage your information risks, conduct audits, and management review), as well as Annex A controls which you can implement or not as determined by your risk assessment.

Reasons for implementing ISO 27001

  • Quite simply, it is one of the most cost-effective means of protecting your information, i.e., the mandatory risk assessment allows you to make informed decisions about what controls/measures to implement and avoid unnecessary ones!
  • ISO 27001 takes a holistic view to identifying all types of information including digital, hard-copy, personal, company, financial etc., as well as taking a holistic view to assessing threats from cyber to poorly trained or unaware staff or ineffective procedures and processes
  • It embeds good practices into your organisation and enhances your culture
  • It provides reassurance to your clients and other key stakeholders that you take information security seriously, particularly when you handle their data.  Certification provides a significant extra level of reassurance
  • The information security management system (ISMS) central to ISO 27001 allows you to constantly adapt to the changing business and threat landscape.  The focus on continual improvement, monitoring, auditing and correcting ensures controls are constantly updated and work effectively
  • It helps not just in minimising the risk of security breaches but helps you manage incidents and recover more quickly
  • Ultimately, ISO 27001 helps protect your reputation and adds value to your business.

So, why you should partner with URM?

Here are a few reasons:

Experience and expertise – We will ensure that you gain maximum benefit from implementing ISO 27001 by virtue of our experience.  URM has assisted over 400 organisations to achieve certification to the Standard.  Our senior consultants have extensive experience as both subject matter experts working at a senior level within a business and in their role as consultants advising organisations on best practice to understand what works, what doesn’t and the best approach to take.

Risk specialists – Without strong risk management, you are literally making decisions in the dark on which information security controls need to be prioritised and implemented.  URM can assist you in developing your risk management capabilities through consultancy, our purpose-designed risk assessment tool (Abriska™ ) and through our training courses.

With the training, you will not only be able to develop your risk management skills, but also gain a practitioner certificate to demonstrate your competence.

Knowledge transfer approach – Central to our consultative approach is the goal to help you become totally self-sufficient, i.e., for you to develop your in-house expertise and competencies.  Our consultants are heavily involved in the delivery of public training courses so come armed with extensive industry experience across multiple sectors and the knowledge transfer skills to relate the ISMS to your needs, empowering your organisation to learn, not just what to do, but to be able to understand and embed the standard as part of business as usual.

Assurances – Our consultancy services come not only with a 100% certification guarantee, but with the assurance that any implemented ISMS will be tailored, appropriate and sustainable.  Any major nonconformity attributable, attributable to work completed by URM will be corrected free of charge.  A wide range of case studies is available on our website and references are available on request.

Flexible and tailored approach – We pride ourselves in tailoring our ISO 27001 consultancy services around your specific requirements, which may be full lifecycle consultancy where we take the lead and provide knowledge transfer, to a light touch approach which includes mentoring or reviewing outputs.

With the latter, URM may assist with specific activities such as conducting risk assessments, developing policies and procedures, delivering awareness sessions and conducting audits.  Our services are scalable, and can be tailored to factors such as internal resource availability, timescales and budgets.

Business-led Approach – Your ISMS needs to be just that, yours.  Not something that sits on a shelf, or is reviewed in preparation for an external assessment, but something that becomes part of the fabric of your business.

Our goal with any ISO 27001 implementation is to achieve the optimum balance, where the mandatory management system requirements of the Standard are being met whilst ensuring that your ISMS reflects your organisation and is uniquely tailored to your size, sector, culture, and objectives.

We always aim to ensure that anything we develop or recommend is appropriate and pragmatic and adds value to your business and that you do not become a ‘slave to the Standard’ i.e., doing something because the Standard says so, as opposed to maximising an existing internal process or method of working.

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
How do you Identify and Then Manage Your ISMS Scope?

When managing the security of your organisation’s information assets, you will need to consider the scope of what you are doing.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
What Are the Critical Steps When Implementing an Effective Information Security Management System?

URM assisted over 350 organisations achieve ISO 27001 certification, here are the critical steps when implementing an effective information security system.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
How Should You Onboard New IT Systems and Software?

This blog takes a look at onboarding information systems. When onboarding is mentioned will conclude it’s referring to people but there is a lot more to think

Read more
Without doubt, URM helped us to achieve our planned objectives a lot sooner than expected. The engagement was a huge success and couldn’t have gone any better.
Group IT Director, UK Mail
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.