What is ISO 27001?
ISO 27001 is the internationally recognised standard for Information Security. It focuses on regulating and improving the processes you have in place to ensure confidentiality and secure storage of essential information and documents.
Using this standard enables organisations of any kind to manage the Information security of the company’s assets such as financial information, intellectual property, employee details or information entrusted by third parties including customers.
Like other ISO management system standards, certification to ISO 27001 is possible through the continual improvement process and Plan, Do, Check, Act. Some organizations choose to implement the standard in order to benefit from the best practice it outlines while others decide they also want to get certified to reassure customers and clients that its information systems are secure, and that company have actioned any recommendations that have been questioned.
What Are The Benefits?
- Avoid Data Breaches
- Improved Recovery Time In The Event of a Breach
- Provide Employee Training to Promote A Security Mindset
- Establish Trust With Customers
- Ensure Complaince With Government Legislation e.g. GDPR
- Minimise Risks Through Early Identification and Mitigation
Why Choose Candy?
Our team have a minimum of 10 years of experience each within the ISO and health and safety industries. We're here to guide you through the processes and answer any questions you may have.
When you follow our guidance, you are guaranteed to achieve your ISO Certification.
We are proud to say we have a 100% sucess rate to date!
We make sure all of our services are provided promptly and within the specified timeframe given. We have a set day rate and will never charge you for the days you don't use.
Our team are here to help, we want to ensure that you full understand your new management system and the importance of maintaining it in the future. No question is too silly, ask away!
Our Flexible 3 Step Process
We will complete a thorough gap analysis and review of your business processes to understand how best to implement an ISO compliant management system.
Build The System
Working with your management team we will build your new management system and where possible align to your existing processes to avoid disruptive change.
We will train your workers on the new system and how to maintain it so that you remain compliant. We will also assist you in your preparation for third-party certification audits.
How Does ISO 27001 Work?
27001 works by creating structured, consistent procedures to ensure information security. It is implemented with the help of an expert consultant who will advise you on each individual clause. Once the information security management system has been implemented, it is time to be reviewed by a separate, third-party auditor. They will examine the procedures you have in place and gauge your compliance, if they are happy that you have met all of the requirements of the standard, they will award you with certification and then visit each year to conduct a surveillance audit and every three years to re-certify you.
The Requirements Explained
Before developing processes or procedures we need to understand the business in regards to how it is run and what factors can hinder or contribute to the running of it, in other words, what does the business do? In determining the context we will identify internal and external issues, interested parties and the scope of the Information Security Management System.
The leadership clause requires the company’s top management to actively lead the Information Security Management System and be able to demonstrate this through policies and responsibilities. Leadership has an emphasis on customer focus with specific applications ranging from support for customer regulatory requirements, risks to enhancing customer satisfaction.
The top management’s responsibilities include establishing and communicating a quality policy, the importance of the ISMS and assigning responsibilities to ensure the ongoing effectiveness of the Information Security Management System.
Planning addresses the process of determining the activities required to achieve the desired goal. It requires critical thinking about the risks that may occur in future and addressing these through adequate control measures. Companies are required to take a risk-based approach and plan for the uncertainties proactively to prevent undesired effects.
Another aspect of planning is to identify objectives that can be used to monitor and track the progress made.
The company is required to determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the Information Security Management System. In doing so the organisation should consider the capabilities of, and constraints on, existing internal resources and what needs to be obtained from external providers. This will include people, infrastructure, the working environment, monitoring and measuring resources, organisational knowledge, competence & awareness, communication, documented information.
Plan, implement and control the processes needed to meet the requirements for the provision of products and services and to meet the requirements of the Information Security Management System. These include aspects of design, control of externally provided processes, production and service provision, the release of products and services and control of nonconforming outputs.
Assessment of the company’s own performance in meeting customer and regularity requirements as well as its performance in meeting the requirements of its own Information Security Management System and the ISO 27001 standard. These will include activities such as, establishing what needs to be monitored and measured, customer satisfaction, analysis and evaluation of data, completing internal audits and top management carrying out a formal review on the performance of the ISMS.
Determine and select opportunities for improvement and implement any necessary actions to meet customer requirements to enhance customer satisfaction. These activities may also include improving products and services to meet requirements and address future needs and expectations, correcting, preventing, or reducing undesired effects, improving the performance and effectiveness of the Information Security Management System and investigating and correcting non-conformance.