Assured Confidence

ISO/IEC 27001 Information Security Management System

Safeguarding your information with ISO/IEC 27001

ISO 27001 Information Technology—Security Techniques – provides requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)

15th March 2018

NSAI hosted an information briefing introducing and detailing the requirements of ISO/IEC 27001.  You can view a copy of the presentation slides here.  

Benefits of implementing ISO/IEC 27001

​1. Compliance
  • reputational  damage caused by ineffective security
  • compliance with legislation and stakeholder needs and expectations
  • enables secure exchange of information
2. Marketing
  • win new business and retain existing  clients
  • increased credibility when tendering  for contracts
  • expand into global markets
  • demonstrates best practice
3. Cost reduction
  • reduce risk of suffering a data breach
  • avoid fines
  • implement proportionate security controls
4. Structure your business
  • define responsibilities
  • improved management processes and risk strategy
5. GDPR - EU General Data Protection Regulation (GDPR)

Is your organisation ready for the EU GDPR?  ISO 27001 can be used to provide a basis for evidence of compliance with the GDPR.

The EU GDPR will apply across all EU member states, the official enforcement date is scheduled for 25th May 2018.  This reform has significant implications for business, not only those based in the EU, but for all organisations operating within the EU market.

The GDPR aims to:
  • Reinforce the rights of the individual
  • Strengthen the EU internal market through new, clear and robust rules for the free movement of data
  • Ensure consistent enforcement of these rules
  • Set global data protection standards
  • Safeguard a golden standard for data protection across all industries

Related Links:

European Commission - Protecton of personal data
Data Protection Commissioner - GDPR webpage

 

ISO/IEC 27001 Implementation Methodology

  1. Get top management support
  2. Construct business case and Project Plan
  3. Define scope of system
  4. Conduct risk assessment and plan risk treatment
  5. Agree effective monitoring methodology and applicable KPI’s
  6. Train personnel
  7. Implement controls
  8. Operate and maintain ISMS
  9. Conduct audit of system and policies
  10. Management review
  11. Implement corrective actions and repeat as necessary

Structure of ISO/IEC 27001

Context of the Organisation

  • Needs and expectations of interested parties
  • Scope of ISMS.
Leadership
  • demonstration of leadership and commitment by top management.
  • Establishment of ISMS policies.
  • Assignment of roles, responsibilities and authorities.
Planning
  • Information security risk assessment
  • Information security risk treatment.
  • Statement of applicability
  • Information security objectives and plan.
 Support
  • Competence and awareness of personnel
  • Communication
  • Documented information.
Operation
  • Operational planning and control
  • Information security risk assessment.
  • Information security risk treatment.
Performance evaluation
  • monitoring,  measurement, analysis and evaluation.
  • Internal audit.
  • Management review.
Improvement
  • Nonconformity and corrective action
  • Continual improvement.
Risk Treatment Controls
  • Internal organisation
  • Human resources
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Security incident management
  • Business continuity
  • Compliance

Self-assessment Questionnaire

To determine how ready your organisation is for certification you can use the NSAI self-assessment questionnaire. 

If you wish to receive a quotation for certification please complete the NSAI request for quotation form and return to certification@nsai.ie  
 

The process to achieving certification to ISO/IEC 27001

  1. Applicant familiarizes themselves with the requirements of the ISO/IEC 27001:2013 standard.
  2. Conducts a self-assessment - Download Self-Assessment Form
  3. Follow system implementation methodology
  4. Apply for Certification. - Download Request for Quotation/Application Form
  5. Send completed Request for Quotation form to NSAI we will then return a quotation for certification specific to your organisation.
  6. To make a formal application sign the NSAI quotation and return to certification@nsai.ie 
  7. NSAI auditor will make contact to agree phase 1 assessment dates
  8. Conduct certification audits
  9. Certification decision          

 

For further information see ISO/IEC 27003:2010 Information technology - Security techniques - Information security management system implementation guidance’


ISO/IEC 27001:2017 and ISO/IEC 27003:2010 can be purchased at www.standards.ie 

 

News & Events
13/04/2018

Minister Breen appoints James Kennedy as Chairperson to the Board of NSAI

The Minister of State for Trade, Employment, Business, EU Digital Single Market and Data Protection, Pat Breen T.D., today announced the appointment of Mr James Kennedy as Chairperson to the Board of the NSAI.

12/04/2018

Public Consultation on I.S. 820 Non-domestic Gas Installations

The National Standards Authority of Ireland wishes to announce the launch of a period of public enquiry  on I.S Non-Domestic Gas Installations.
 
 

NSAI Tweets
NSAI Media Channel