Safeguarding your information with ISO/IEC 27001
ISO 27001 Information Technology—Security Techniques – provides requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)
15th March 2018
NSAI hosted an information briefing introducing and detailing the requirements of ISO/IEC 27001. You can view a copy of the presentation slides here
Benefits of implementing ISO/IEC 27001
- reputational damage caused by ineffective security
- compliance with legislation and stakeholder needs and expectations
- enables secure exchange of information
3. Cost reduction
- win new business and retain existing clients
- increased credibility when tendering for contracts
- expand into global markets
- demonstrates best practice
4. Structure your business
- reduce risk of suffering a data breach
- avoid fines
- implement proportionate security controls
5. GDPR - EU General Data Protection Regulation (GDPR)
- define responsibilities
- improved management processes and risk strategy
Is your organisation ready for the EU GDPR? ISO 27001 can be used to provide a basis for evidence of compliance with the GDPR.
The EU GDPR will apply across all EU member states, the official enforcement date is scheduled for 25th May 2018. This reform has significant implications for business, not only those based in the EU, but for all organisations operating within the EU market.
The GDPR aims to:
- Reinforce the rights of the individual
- Strengthen the EU internal market through new, clear and robust rules for the free movement of data
- Ensure consistent enforcement of these rules
- Set global data protection standards
- Safeguard a golden standard for data protection across all industries
European Commission - Protecton of personal data
Data Protection Commissioner - GDPR webpage
ISO/IEC 27001 Implementation Methodology
- Get top management support
- Construct business case and Project Plan
- Define scope of system
- Conduct risk assessment and plan risk treatment
- Agree effective monitoring methodology and applicable KPI’s
- Train personnel
- Implement controls
- Operate and maintain ISMS
- Conduct audit of system and policies
- Management review
- Implement corrective actions and repeat as necessary
Structure of ISO/IEC 27001
Context of the Organisation
- Needs and expectations of interested parties
- Scope of ISMS.
- demonstration of leadership and commitment by top management.
- Establishment of ISMS policies.
- Assignment of roles, responsibilities and authorities.
- Information security risk assessment
- Information security risk treatment.
- Statement of applicability
- Information security objectives and plan.
- Competence and awareness of personnel
- Documented information.
- Operational planning and control
- Information security risk assessment.
- Information security risk treatment.
- monitoring, measurement, analysis and evaluation.
- Internal audit.
- Management review.
- Nonconformity and corrective action
- Continual improvement.
Risk Treatment Controls
- Internal organisation
- Human resources
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Security incident management
- Business continuity
To determine how ready your organisation is for certification you can use the NSAI self-assessment questionnaire.
If you wish to receive a quotation for certification please complete the NSAI request for quotation form and return to firstname.lastname@example.org
The process to achieving certification to ISO/IEC 27001
- Applicant familiarizes themselves with the requirements of the ISO/IEC 27001:2013 standard.
- Conducts a self-assessment - Download Self-Assessment Form
- Follow system implementation methodology
- Apply for Certification. - Download Request for Quotation/Application Form
- Send completed Request for Quotation form to NSAI we will then return a quotation for certification specific to your organisation.
- To make a formal application sign the NSAI quotation and return to email@example.com
- NSAI auditor will make contact to agree phase 1 assessment dates
- Conduct certification audits
- Certification decision
For further information see ISO/IEC 27003:2010 ‘Information technology - Security techniques - Information security management system implementation guidance’
ISO/IEC 27001:2017 and ISO/IEC 27003:2010 can be purchased at www.standards.ie