ISO 27001 - a beginner's guide
ISO 27001 - a beginner's guide

These days, barely a week will go past without a news story about a security breach at a high-profile organisation.

Not only does this put pressure on the security industry, but it reveals a significant opportunity as information security suddenly becomes a major priority for organisations worldwide.

Despite this opportunity, as shown in a recent story in SC Magazine, the industry has been somewhat slow to demonstrate its competence. Etienne Greeff, professional services director at SecureData Europe, claimed that the ‘trust me, I'm a doctor' culture is no longer good enough for customers worried about handing over their data. He also said that the ISO 27001 certification has been implemented by only a few organisations.

What's it all about?

In truth, the ISO 27001 information security management standard is one of the International Organization for Standardization's (ISO) more popular measures. According to its most recent survey, there were more than 1,100 companies certified in the UK in 2010, putting the country third in its rankings.

Relatively new, ISO 27001 was introduced in 2005; the intention is to provide structure to ensure you are managing your risks effectively. When more and more data is entrusted to be stored securely, ISO 27001 allows those taking care of this essential data to demonstrate they are taking their customers' security threats seriously.

The idea behind ISO 27001 is that you become proactive, not reactive. Planning means you or your clients aren't at risk of any threats that could prove at best embarrassing, or, at worst, put your business at great risk, be it from legal, reputational or financial repercussions.

With ISO 27001 being an internationally recognised standard implemented by thousands, it is a way of avoiding the use of a mass of ineffective policies which are outdated or contradictory. The standard provides an organisation with assurance, knowing that their processes and controls are secure and adhere to best practice.

The benefits

Improved structure and focus are massively underrated benefits of implementing ISO 27001. As businesses grow rapidly, it doesn't take long before there is confusion with who decides what, who is responsible for certain information assets, and who has to authorise access to various systems. As a consequence, the standard can help you become a more productive business.

Rarely prioritised at the start of the process, but often realised, is an improvement in company culture. Employees understand the risks that may occur and embrace security controls as a result. ISO 27001 helps increase visibility and comprehension of IT security issues, bringing preparedness to the workforce, which can help boost morale.

Because it is so well recognised, ISO 27001 is particularly credible when tendering for work. Within the public sector, information security is of course deemed essential, so following the standard could be the difference between winning and losing that vital tender. In fact, ISO 27001 gives an overall marketing edge against your competitors, particularly as achieving certification puts you alongside the likes of Cisco, Microsoft and Verizon.

Because ISO 27001 is so well respected, having certification often negates the need for customer audits. In an earlier article, Michael Brophy from Certification Europe mentioned that one client “calculated that in 2009 alone they reduced the number of external customer audit days by 49”.

If you are looking to expand into global markets, it's almost impossible to do business in the security industry without ISO 27001, as it is often a supply-chain requirement. In Japan, it is a legal requirement.

Of course, it's not all about winning new business, it's just as important to be able to retain existing clients. Adding an endorsement of good security practice gives another reason for clients to stay with you, at a time when the current economic situation forces once loyal clients to look around.

What's the catch?

So what has stopped some organisations going for ISO 27001 certification? Well, predictably, hard times have made it difficult to justify the cost. A survey by consultancy firm Activity found that one-third of respondents have considered, but not implemented, an information security management system (ISMS) such as ISO 27001, believing that the cost of doing so would be prohibitive. Similar proportions of respondents who have implemented such a system also had cost as their top concern.

Rob Fenn, marketing director of the British Assessment Bureau, an ISO 27001 certification body, estimates the cost of certification to be "around £1,799 plus VAT for your typical SME".

What's more, although not essential to achieving certification, some companies prefer to bring a consultant in, which can double the overall costs. Fenn comments: “In the current climate, any financial expenditure should rightly be justified. However, the increased efficiency ISO 27001 brings helps to cut mistakes and re-work, quickly recouping the expenditure involved. That's before considering that having the certification may be the difference between winning that next contract or not.”

Achieving certification

Becoming certified normally takes three to six months, but this can depend on the size of the organisation and how many sites are involved. Undoubtedly, management buy-in is essential for implementation to be hassle-free, but it's also important for there to be a main co-ordinator to take responsibility.

This can seem daunting for the person made responsible, but in most cases the principles of ISO 27001 will soon become integrated in your business and, before you know it, it'll just be the way you do things.

The process starts with what's known as a 'Stage 1 Audit'. Your existing systems will be reviewed, resulting in a gap analysis report which will identify the actions required to meet the standard. Many organisations find they already have a number of required processes in place; they just need better documentation and communication of what processes are mandatory and who has responsibility for what.

Once the organisation is ready and has filled the gaps highlighted, an auditor will visit its premises to carry out the 'Stage 2 Audit'. This will reveal the effectiveness of your ISMS and whether it meets all the requirements of the standard.

If you are fully compliant, you will be recommended for certification. The auditors' report will then be checked via an approvals process and, if no anomalies are identified, ISO 27001 certification is officially awarded.

To maintain your certification, it is mandatory to have at least one surveillance audit per year to ensure you are still meeting requirements. Should a major non-compliance be identified, you would be given a set period of time to rectify the situation.

Every third year, a full re-audit is undertaken, aimed at identifying key trends of strength and weakness. Your certification body would work with you to identify opportunities for improvement. Such audits are more extensive that annual surveillance audits, and some certification bodies may charge extra to undertake them.

A word of warning from Fenn: "The Government has recently sent out a reminder that UKAS accreditation is the only form of accreditation recognised when it comes to ISO certification bodies… as with choosing any supplier, ask for a certification body's credentials before engaging with them."

When reaffirming its stance on unaccredited certification, the Department for Business, Innovation and Skills said that any certification body not accredited by UKAS “is likely to be guilty of an offence”.

The British Assessment Bureau is a UKAS accredited certification body, providing ISO accreditation and OHSAS 18001 certification and training.