By Shiela Lumsden on 28 Mar 2019
We are very excited to announce that we have fully maintained our ISO 27001 certification and have been successfully re-certified for a further three years.
ISO 27001 has become a well recognised certification within the information technology sector and is an important element of EveryCity’s commitment to its clients. For us, ISO 27001 ensures:
- Customer Trust; by achieving the ISO/IEC 27001 certification, we prove that we maintain a rigorous information security management system.
- Manage and Protect Information; implementing an ISMS that complies with the ISO/IEC 27001 requirement helps us to maintain, manage and protect our data and customer information.
- Enhance Reputation; by having an effective ISMS that complies with the standard, we demonstrate the efforts EveryCity management puts in to protect the organisation against breaches and cyber threats.
- Data Breach Fines and Penalties; implementing ISO/IEC 27001 enables us to protect and manage information assets. This will help us to be well prepared against threats and prevent any penalties in the event of a breach.
For anyone new to the standard, the overview below explains what it is and why it’s so important to the industry. If you feel inspired to implement it in your organisation, we provide a run-down of the essentials to give you an idea of what’s involved.
What is ISO 27001
ISO/IEC 27001 is an international information security standard, part of the ISO/IEC 27000 family of standards, which provides the specification for a best-practice information security management system (ISMS).
The ISMS is a framework of policies, processes and procedures that involves legal, technology, physical and people. It helps an organisation to protect and manage its information security through effective risk management.
Achieving certification to ISO 27001 shows that independent and expert auditors have assessed your ISMS framework and that information security is managed in line with international best practices and business objectives.
Annex A of the standard contains 114 controls that cover all the requirements for effective management of sensitive organisation information so that it remains secure. These controls cover people, processes and IT systems.
Organisations can choose which controls are applicable to their environment, which means that implementing all of these 114 controls is not mandatory. Each organisation should carefully study its own information security requirements and implement those controls that are most appropriate for their business.
How ISO 27001 is aligned to the business strategy goals?
As mentioned above, it’s essential that organisations should carefully identify and understand their own information security requirements to help them maintain and protect their information. There are many methods that will help you to identify your organisation’s security requirements, which include:
- Assessing all risks that may impact your organisation achieving its business strategies and objectives, such as identifying threats, vulnerabilities, and the probability and impact such risks have to your assets.
- Evaluating your organisation’s rules for information processing, storing, collecting, communicating, etc to support its business operations.
- Understanding the internal and external issues that are relevant to your organisation’s purpose to achieve its goals, this includes areas such as contractual obligations, legal and regulatory requirements.
Once these information security requirements have been identified, you will be able to choose the applicable ISO 27001 controls from Annex A of the ISO 27001 specification document.
Finally, implementing and achieving the ISO/IEC 27001 certification is not a one time project, but something that needs to be maintained. Therefore, you will need to train an ISO/IEC 27001 implementer and internal auditor in order to to keep the ISMS up-to-date and to succeed in the annual surveillance audits. This will also further prepare you to deal with the recertification audit after three years of achieving the ISO/IEC 27001 certification.
We would be delighted if you choose to join us in gaining ISO/IEC27001 certification and would be more than happy to speak with you to share our learning about the experience of implementation, or just to hear your own experiences of the journey towards certification.