Achieving ISO 27001:2005
ISO 27001, titled ‘Information
Security Management Systems’ (ISMS),
is the replacement for the original document,
BS7799-2. The basic objectives of the standard
are to help establish and maintain an effective
information management system using a continual
improvement approach and assist businesses
and organisations throughout the world to
develop best-in-class information security.
Most organisations have a number of information
security controls. Without an ISMS, however,
the controls tend to be somewhat disorganised
and disjointed, having been implemented
often as point solutions to specific situations
or simply as a matter of convention. The
standard defines its 'process approach'
as "The application of a system of
processes within an organisation, together
with the identification and interactions
of these processes, and their management".
The Challenge
After achieving ISO 9001:2008,
we were a little more confident about working
on this project. We knew from the outset
that the standard would involve a great
deal of commitment from the entire team
if we were to achieve certification. We
faced a number of challenges including:
•
|
Achieving team “buy
in”, as the introduction of an
ISMS involves huge cultural changes
in the way an organisation operates |
| |
|
| • |
Getting the team to
think beyond electronic information
and consider the physical security of
our building, paper documents and electronic
information |
| |
|
| • |
Getting the team to
think of information security as an
integral part of the daily business
and not as an additional burden |
| |
|
| • |
The commitment and
inputs from senior managers to help
maintain momentum in driving this project
forward |
| |
|
| • |
Spreading the knowledge
and particularly the jargon used in
ISMS across the team |
| |
|
| • |
Making information
security management a team-wide responsibility
and not just the preserve of the IT
department |
| |
|
| • |
Keeping the project
moving forward during the implementation
process and before the all important
audit certificate was granted! |
The Solution
Using our experience of ISO 9001:2008
certification, we created a step-by-step
procedure, which worked as follows:
•
|
We created a core
team for the project |
| |
|
| • |
We organised awareness
and training programmes for all team
members |
| |
|
| • |
We defined the information
security policy and our objectives,
and listed down all our information
assets |
| |
|
| • |
We identified the
risks and threats to all the information
assets and worked out a strategy for
risk mitigation |
| |
|
| • |
We strengthened our
physical and information security from
all the aspects by implementing ISMS
controls |
| |
|
| • |
We carried out rigorous
internal audits and brainstorming sessions
to achieve the standard |
The Outcome
In July 2009, Shergroup Outsource
achieved its ISO 27001:2005 certification.
We were issued with a certificate, valid
for three years, by the British Standards
Institution for successfully implementing
the Information Security Management System.
The Ongoing Benefits
As a result, we believe we have
not only achieved the standard but also
a number of other benefits including:
•
|
The enhancement of
our business partners’ confidence
in and perceptions of our organisation |
| |
|
| • |
Knowing that our clients’
data is safe and that we can handle
their information to the highest possible
standard of professionalism in a controlled
and organised way |
| |
|
| • |
Creating formal policies
and procedures in managing and handling
information within an acknowledged framework,
which is communicated to our entire
team |
| |
|
| • |
Recognising the risks
to information security and ensuring
through our policies and procedures
that we have clear processes to identify
assets, and understand how to deal with
risks, threats and other vulnerabilities
in a positive way |
| |
|
| • |
Improved team development
and motivation through responsibility,
awareness and ongoing training in the
area of information security |
|
