Given the high profile cyber-security breaches in recent years, it should be no surprise to learn that the number of organisations achieving ISO27001, the International Standard for information security, rose by 21% in 2016 – the last year we have figures for.
The standard is becoming a must have certificate as more organisations not only worry about the data they hold, but that entrusted to them by third-parties or indeed clients.
There appears to have been a surge in law firms in particular achieving the standard, perhaps in response to the forthcoming GDPR regulations, but also as many tender documents now ask for such certification.
What is ISO 27001: 2013 and how do you achieve it?
The standard specifies what you have to do to establish, implement, maintain and continually improve an information security management system tailored to the needs of your own organisation – including the assessment and treatment of information security risks.
Successful certification is not easy. This is not a tick-box exercise than can be done in a day and forgotten about once the certificate is hanging on the wall.
It will generally take anywhere between 6 and 12 months to complete, but longer if you do it from scratch on your own with no external support or advice. And that is where our experience of achieving the standard has proved useful for our clients.
Firstly, whilst we do not offer an ISO 27001 consultancy service as such, there are some specific areas where we have helped our clients to ease their burden, such as answering questions relating to IT systems and infrastructure security, network security, connections to the outside world and data accessibility. We have also provided sample documentation to assist with policies for remote working, data backup, password management, acceptable use etc.
With most of our managed services clients we also help with sections relating to security when adding new starters for the organisation and in any event manage operations to ensure that all leavers are immediately removed from the system and denied access to it. Such processes are a standard part of the Quiss outsourced service model.
The ISO 270001 external assessment is in many ways less to do with physical checks of IT systems or infrastructure and more about implementing robust processes for managing the confidentiality, integrity and availability of corporate data. This helps ensure people within the organisation understand information security is the responsibility of everyone, not just the data controller; if they have one.
That said, the analysis and risk assessment of the physical security in place on the network does form a key part of the standard and for our managed service clients, these elements are often outsourced entirely to Quiss. Our standard model ensures that these elements are robust enough to withstand the requirements of ISO 27001 without the need for further costly changes.
Advice when needed
Having held the certificate for many years, we have advised numerous clients through the process and have time and again demonstrated that our networks are of the calibre needed to withstand the audit process. We have been told our informal support coupled with the rigour we have already built into our clients infrastructures has helped to significantly reduce the time for the firms concerned to achieve ISO27001: 2013.
Our advice focussed on offering a pragmatic approach to each section, shaped by our own efforts and through helping others along the same journey. It’s an important standard and will only become increasingly necessary as the threat environment changes.
If you’re considering certification, there is certainly plenty of support out there. But if you would like an informal chat to understand how outsourcing to Quiss has helped other organisations in this scenario, please get in touch and we’ll talk you through it.