We first attained ISO/IEC 27001:2013 certification for information security back in November 2017. Since then, we’ve not only added two more certifications (ISO 9001 for quality management and ISO 14001 for environmental standards) we’ve been busy maintaining them.
What is ISO 27001?
The official textbook definition is quite something – you’d expect it to be considering how important and involved information security is.
“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”
Why did we attain it?
Security is a big deal for us. Not just us, but our clients and our clients’ clients. That’s why it’s essential that we can properly demonstrate the soundness of our practices and processes. That way, it allows others to have total trust in us and our security. We’ve had the certification for four years and we’ve worked hard since then to continue to maintain it. Not only that, we aim to go beyond ISO 27001 requirements.
Take a deep breath…
There’s an extremely long list of mandatory documents and processes that we’ve put into place to achieve the ISO 27001 Standard. These are shown below, and we also work on regularly enhancing these and actually go further, adding relevant policies and actions for our business.
Scope of the Information Security Management System – sets out the type of operations the Information Security Management System (ISMS) will be applied to, and the boundaries that will be placed upon it.
Information security policy and objectives – acts as a statement that the organisation’s goal is to handle information in a secure manner that complies with any legal regulations and ethical obligations, as well as showing evidence of a desire for continual improvement.
Risk assessment and risk treatment methodolog – how we identify risks to information security and our approach to mitigating those risks and addressing them when they occur. Methodology addresses how risks are identified, who owns them, how potential consequences are assessed, how likelihood and severity of risk are assessed, how the acceptance of a risk is determined.
Statement of Applicability – this document explains which of the 114 information security controls outlined in Annex A of ISO 27001 will be adopted and why. It identifies which of the controls apply to the organisation, outlines why they apply, how they have been implemented and why any controls have not been chosen.
Risk Treatment Plan – how the controls which apply to the organisation are implemented, who is responsible for implementation and time and resources needed.
Risk assessment and risk treatment report – report on the risk assessment, and any risk treatment, performed in line with the methodology outlined in the document above.
Definition of security roles and responsibilities – outlines tasks and responsibilities of each role which has a part to play in information security.
Inventory of assets – documents any asset that is involved in data storage.
Acceptable use of assets – details acceptable use of the assets identified in your inventory. As they handle sensitive information, they must be used in the appropriate way.
Access control policy – helps ensure that only the appropriate people are granted access to sensitive information. Outlines how an individual is deemed to warrant access to information, what requirements they must have to warrant privileged access, how access is granted, how access is reviewed, how and why access would be revoked.
Operating procedures for IT management – documented procedures for areas of the business where sensitive information is at risk through incorrect operation of IT equipment. These areas are identified by risk assessments.
Supplier security policy – policy regarding the information security of suppliers. A collaborative policy that engenders close working relationships with suppliers who have access to or who could potentially compromise data security.
Incident management procedure – makes it clear how we will react to an information security incident. Including how evidence would be gathered, how circumstances are established and recorded, how senior team are made aware and how any weaknesses found are dealt with.
Business continuity procedures – outlines responsibilities, actions, timescales and work required in event of an information security incident. Also establish the management structure and agreed criteria to escalating an incident.
Legal, regulatory, and contractual requirements – lists all relevant legal, regulatory and contractual requirements and makes clear how each impacts our information security processes.
Records of training, skills, experience and qualifications – records of ongoing training and experience of each member or staff to demonstrate appropriate level of competence.
Monitoring and measurement of results – one of the greatest strengths of ISO 27001 is its emphasis on continual improvement. A key part of an ISMS is to monitor its performance and measure the effectiveness of its results. Records of these evaluations alongside evidence that we have considered what to measure, how and when, and that the outcomes from any decisions are ensuring appropriate process control.
Internal audit programme and results – internal audit is a key aspect of ISMS. These are done at least annually and detailed records of these are kept, along with information about any issues or opportunities for improvement that are uncovered.
Results of the management review – 6 monthly management reviews by the Security Team to assess whether the ISMS remains effective. Agenda and minutes and outcomes recorded for these meetings.
Non-conformities and results of corrective actions – documentation maintained of any non-conformities in our information security processes and operations. Clear evidence of corrective action that has been taken and how this will prevent a repeat of the non-conformity.
Logs of user activities, exceptions, and security events – logging of user activities, exceptions and security events and automated alerts and triggers for any issues.
As you can see, describing it as quite a thorough undertaking is an understatement. It’s a mammoth task and one that is ongoing as we maintain the high standards set by ISO 27001.