|
|
ISO/IEC 27001
Achieving and maintaining certification
How confident are you that you have the appropriate controls and procedures in place to avoid data security incidents? Unprotected systems are vulnerable to computer-assisted fraud, sabotage and viruses. Breaches in information security can allow vital information to be accessed, stolen, corrupted or lost.
Protecting this asset through developing robust information security strategies and implementing effective information security controls is a key management responsibility.
An information security management system (ISMS) compliant to ISO/IEC 27001:2005, formerly known as BS7799 part 2, can help you demonstrate to trading partners and customers alike that you take information security seriously.
What is ISO/IEC 27001:2005?
ISO/IEC 27001:2005 is a third party assessable standard against which organizations can achieve certification. It was revised in 2005 and is based on the plan - do - check - act model in common with ISO 9001 and ISO 14001 and uses risk assessment and business impact analysis to identify and manage risks to the confidentiality, integrity and availability of information.
ISO/IEC 27001:2005 aims to ensure that adequate controls addressing confidentiality, integrity and availability of information are in place to safeguard the information of 'interested parties'. These include your customers, employees, trading partners and the needs of society in general.
The ISO/IEC 27001:2005 standard covers:
- scope
- normative references
- terms and definitions
- information security management system
- management responsibility
- management review of the ISMS
- ISMS improvement
Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structure and hardware and software functions. ISO/IEC 17799:2005 establishes the guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization and covers:
- the security policy
- organization of information security
- asset management
- human resource security
- communications and operations management
- access control
- information systems acquisition, development and maintenance
- information security incident management
- business continuity management and
- compliance
For further detail, copies of the ISO/IEC 27001 standard can be obtained from www.ISO.org.
How can ISO/IEC 27001:2005 certification benefit my organization?
Certification to ISO/IEC 27001:2005 is a powerful demonstration of an organization's commitment in managing information security. It also helps create a systematic framework in which organizations drive continual improvement, providing a competitive advantage for your organization because it:
- enables you to work with many organizations where it is a contractual obligation, expectation or prerequisite for doing business
- enables you to demonstrate your IT systems are safe and make a public statement of capability without revealing your security processes or opening your systems to second party audits
- helps your organization develop a business continuity plan, minimizing the impact of any security breaches
- ensures controls are in place to reduce risk of security threats and system weaknesses
- demonstrates your organization meets the requirements of the Data Protection Act of 1998
- enables you to gain Increased confidence through the objective view of our management systems expert assessors who are qualified in information security and other aspects of IT and will judge you system against best industry practice
How can we gain certification to ISO/IEC 27001:2005?
We provide a range of services, including assessment and training courses, to prepare you for certification. Our certificates are truly earned and are a reliable and transparent symbol of management achievement and a commitment to continual improvement.
Our assessment process involves these primary stages:
Why Choose LRQA?
At LRQA, we are passionate about what we do, and we understand what's at stake for your business. We work hard to apply our expertise to make your management systems more efficient and effective. This is why we are one of the world's most trusted management system assessment companies providing assurance for your business and in turn, your clients.
- Reputation and Experience – We have issued over 40,200 approvals at more than 48,420 sites to various standards, schemes and specifications. We are recognized and respected worldwide for our own high standards of technical competence, impartiality and independence.
- Assessor Expertise – We use a unique qualification coding system that matches our assessors' industry knowledge and expertise with your business needs enabling them to conduct an effective and robust audit of your system.
- Assessment Methodology – Our assessments focus on the area and issues that are important to your business. We view the process as more than just certification; we view it as a Business Assurance process that helps you assure key stakeholders that you can deliver on the promises and goals you make.
- Assessment Reports – We will provide helpful and insightful overviews in the Executive Summary, tracking of improvements in key areas in the Continual Improvement logs, and advanced views of your long term assessment plan.
- Extensive range of services –We can provide your organization with assessment, certification and verification services to support your organization's future growth and development. In addition, our comprehensive training courses offer the tools you need to prepare, implement, maintain and improve your management system.
- Integrated Assessments – We will work with you to reduce costs through the effective integration of management system assessments.
- Global Capabilities – We have over 2,000 employees offering assessments in over 30 languages. We operate a single system worldwide, which ensures that our certification process is consistent from any of our offices around the world.
LRQA Business Assurance Approach
Our Business Assurance approach to management systems assessment and reporting is unique; it's an approach that enables you to demonstrate how your system is helping to drive your business forward in a measurable and verifiable way. We believe that building trust stretches far beyond the issuing of certificates. It's about us enabling you to deliver on your promises, to be confident in your capabilities and to stand out from the crowd.
Through Business Assurance, we can help you determine whether your management system:
|