HOW TO SET UP AN ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM

​Achieving certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether the data you are handling is adequately protected.

Information is the lifeblood of any business – this is especially true if your clients have entrusted their valuable data to you. Maintaining an information security management system (ISMS) is the most effective way of reducing the risk of suffering a data breach.

An ISMS is a systematic approach to managing the security of sensitive information and is designed to identify, manage and reduce the range of threats to which your information is regularly subjected.

​There are a whole host of benefits to getting ISO 27001, such as demonstrating credibility when tendering for contracts, showing you are taking cyber security threats seriously, and avoiding fines and penalties.

We identify the key requirements of ISO 27001 for you and provide a top level route map for a successful ISMS implementation in your organisation. We will outline a structured approach to implementation based around:

• Planning. Defining the scope of the ISMS. Undertaking a Gap Analysis to assess management system requirements and controls currently implemented. Defining your information security policy. Creating a network map to identify all of your organisation’s devices that are connected, as well as their functions. Produce a data map in respect of all personal data held/used by your organisation.
• Creating a list of relevant risks that would compromise the confidentiality, integrity and availability of your information.
• Defining a systematic approach to risk assessment. 
• Carrying out risk assessments to identify and evaluate information security risks. 
• Identifying and evaluating options for the treatment of these risks. 
• Selecting, for each risk, the controls to be implemented.
• Preparing a statement of applicability (SoA).
• Formulating a risk treatment plan for approval by risk owners. 
• Meeting your organisation’s ongoing legal, regulatory and contractual obligations through a Compliance Legal Register and Key Issues Newsletter.