ISO 27001 is an international standard for Information Security Management Systems. The standard provides a framework that organisations of all sizes can follow to manage information security within a work place as well as fulfilling legal compliance obligations, and identify risks and opportunities along with treatment controls.
There are many industries where ISO 27001 certification is a contractual requirement. For some it can be an essential tool for gaining the advantage over competitors and demonstrating enhanced credibility.
Implementing an ISO 27001 ISMS (Information Security Management System) with Candy Management will enhance Information Security awareness and performance from top management across your entire organisation, and if done right will achieve cost savings through improved security and a reduction in ISMS issue or Breaches.
A Candy ISMS will also enable you to identify risk and develop controls and initiatives which will result in a safety culture. This can open doors to new business, especially when completing PQQ and Tenders for new contacts.
Our management systems have been implemented across all sectors and have been certified by UKAS Accredited bodies multiple times. Every customer has unique need and we tailor our services to meed those needs. Whether you’re seeking full implementation support or a hand holding we will be there for you until you get your ISO 27001 certificate, and beyond.
Before proceeding with developing processes or procedures we need to understand the business in regards to how the business is run and what factors can hinder or contribute to the running of the business, in other words what does the business do? In determining the context we will identify internal and external issues, interested parties and the scope of the Information Security Management System.
The leadership clause requires the company’s top management to actively lead the Information Security Management System and be able to demonstrate this through policies and responsibilities. Leadership has an emphasis on customer focus with specific applications ranging from support for customer regulatory requirements, risks and enhancing customer satisfaction. The top management’s responsibilities include establishing and communicating an Information Security policy, the importance of the Information Security and assigning responsibilities to ensure the ongoing effectiveness of the Information Security Management System.
Addresses the process of determining the activities required to achieve a desired goal. Planning also involves thinking about the risks that may occur in future and addressing these through adequate control measures. Clause 6 of ISO 27001 deals with this critical activity and requires an organisation to take a risk-based approach and plan for the uncertainties pro-actively to prevent undesired effects. Another aspect of planning is to identify objectives which can be used to monitor and track our progress. Additionally, this clause requires an organisation to plan for changes and follow a structured approach for any changes required in the management system.
Requires the organisation to determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the Information Security Management System. In doing so the organisation should consider the capabilities of, and constraints on, existing internal resources and what needs to be obtained from external providers. This will include people, infrastructure, the working environment, monitoring and measuring resources, organisational knowledge, competence & awareness, communication, documented information.
Requires the organisation to plan, implement and control the processes needed to meet the requirements for the provision of products and services and to meet the requirements of the Information Security Management System. These include aspects of design, control of externally provided processes, production and service provision, release of products and services and control of nonconforming outputs.
Requires an organisation assess its own performance in meeting customer and regularity requirements as well as its performance in meeting the requirements of its own Information Security Management System and the ISO 27001 standard. These will include activities such as, establishing what needs to be monitored and measured, customer satisfaction, analysis and evaluation of data, completing internal audits and top management carrying out a formal review on the performance of the Information Security Management System.
Requires an organisation to determine and select opportunities for improvement and implement any necessary actions to meet customer requirements to enhance customer satisfaction. These activities may also include improving products and services to meet requirements and address future needs and expectations, correcting, preventing, or reducing undesired effects, improving the performance and effectiveness of the health and safety management system and investigating and correcting non-conformance.
A Candy Management lead consultant can carry out a no obligation fully detailed GAP analysis on your existing systems to identify what work is needed to meet the requirements of all the ISO 27001 clauses. If you prefer, you can give us a call and speak to one of our advisers for free.