ISO 27001 certification is a good indication that a company is taking security seriously with robust infrastructure and processes in place.
This means ensuring data is stored and processed in an appropriate manner and thereby reducing the risk of a data leak or breach.
Data security is a core concern for every company, particularly since the introduction of the GDPR in May 2018. SMEs and large enterprises alike now rightly have a laser focus on the security of their IT providers, particularly where this involves software providers processing data.
Many of the clients we work with offer professional services in the form of legal and financial services. These are highly regulated businesses who handle a lot of personally identifiable or sensitive information within their business applications. It’s crucial that any IT provider they outsource hosting, application management or design to, is security certified to the highest level.
What is ISO 27001?
ISO 27001 (or to give its full name, ISO/IEC 27001) is an internationally-recognised security standard that provides the specification for an Information Security Management System (ISMS). Based on risk management principles, the ISMS sets out the policies and procedures defined by organisations to keep all the information they hold secure, helps increase resilience to cyber-attacks, and provides a central framework for the management of data and information.
ISO 27001 is an externally audited certification, which requires organisations to present their ISMS framework and evidence records of its use to certified auditors trained in Data Security during a rigorous set of interviews and meetings.
By adopting a systematic approach to security management, a company with ISO 27001 certification is much better prepared to identify, manage and assess the risks associated with the collection, storage and deletion of personal data.
What does ISO 27001 certification involve?
Documenting processes and validating individuals
Gaining ISO 27001 certification is not a quick process and requires real commitment from the organisation to put in the hours and resources needed to pass the audit process. In most cases, a large proportion of time is spent creating the required documentation needed for the ISMS. This involves assessing existing processes and infrastructure to ensure conformity to the ISO 27001 standard while still ensuring practical use.
This is no small feat. At Bedroq, it has taken us six months of hard work and commitment just to prepare for the ISO 27001 Audit. We have also had to spend time training our staff on the ISMS. Gaining certification is not just about having the right documents; more importantly, it’s about creating a company-wide culture where data security is something that each employee takes seriously.
The ISO 27001 Audit
Then comes the audit. The initial audit process for ISO 27001 certification is conducted in two to three stages:
1. Internal Audit
Before inviting any external scrutiny, companies carry out an internal audit of the system and its day to day use to identify any areas of the standard that are not being met and enact any corrective action needed.
2. External Stage One Audit
At this stage, the auditor assesses whether the company has successfully complied with the proposed scope of the ISMS and that the structure of their ISMS fulfils the requirements of the certification standard. It is a constructive audit, showing companies where they may have weaknesses (called non-conformities, which can be major or minor) so they can take any remedial action needed in preparation for the next stage.
3. External Stage Two Audit
At some point after the stage one audit, a stage two audit is conducted, which takes a deeper look into the processes and procedures the company operates. Normally the auditor will want to ensure that there’s at least three or even six months’ of evidence available. This audit is conducted to ensure that not only do these processes and procedures conform to the requirements of the standard, but also that they work in practice and are being followed throughout the organisation.
Any non-conformities from the stage one audit are reassessed to ensure corrective action has been taken. If additional non-conformities are found at stage two, they are assessed as to their severity. If they are minor and can be addressed simply and quickly, certification may still be awarded; if the non-conformities are significant, it may require a third audit to satisfy the auditor that their concerns have been addressed.
Why does ISO 27001 Certification Matter?
ISO 27001 matters for outsourced IT providers as it shows a clear, strong commitment to data security against international standards. Customers can rest assured that their provider has, for example, a robust approach to keeping sensitive data secure and managing risks. The whole company learns about certification and using the ISMS, to ensure high standards of security across the organisation.
However, getting ISO 27001 certification isn’t the be all and end all – it’s an ongoing process. Companies with ISO 27001 in place are checked annually to ensure they continue to use the processes put in place. This auditing cycle ensures that that their data security practices are continuously improving. Companies must also reapply for certification every three years.
If you have any doubts about your IT provider’s suitability to work with highly regulated compliance driven businesses, then being assured of their ISO 27001 accreditation should put your mind at rest.
Are you thinking of starting the ISO 27001 certification process for your business?
We have put together a number of templates, tools and documents to help expedite the process of getting ISO 27001 certified. If you’d like advice, we are happy to help. Get in touch