ISO 27001 INFORMATION MANAGEMENT SYSTEMS

Information security is one of the key concerns of the modern organisation and one of the key concerns for Key Security Group. The volume and value of the data used in our business needs protecting and to this end implementing, maintaining and improving an information security management system (ISMS) is essential to the development of our business and key to us meeting our strategic objectives, particularly in respect of achieving certification to ISO 27001:2013

The main drivers for information security are undoubtedly globalisation, government directives, regulatory requirements, terrorist activities and escalating cyber threats. Furthermore, obtaining contracts with governments, local authorities and large corporate clients is making ISO 27001 is a prerequisite for doing business. Certification is seen as a powerful assurance of our commitment to meet our obligations to customers and business partners. 

The recent introduction of the General Data Protection Regulation and the Data Protection Act 2018 has also highlighted the need for information security management systems that are 3rd party approved to a recognised standard. ISO 27001 is that standard.

ISO 27001 adopts the high level structure found in other management systems and fits perfectly in out compliance framework. The ISO 27000 family of standards offers a set of specifications, codes of conduct and best-practice guidelines for organisations to ensure strong information security management. Of primary interest are ISO 27001 and ISO 27002. ISO 27001 is a technology-neutral, vendor- neutral information security management standard, but it is not a guide. Of the above standards for IT security governance, ISO 27001 offers the specification: a prescription of the features of an effective information security management system.

As the specification, ISO 27001 states what is expected of an ISMS. This means that, in order to receive certification or to pass an audit, our ISMS must conform to these requirements.

While ISO 27001 offers the specification, ISO 27002 provides the code of conduct –guidance and recommended best practices that can be used to enforce the specification. ISO 27002, then, is the source of guidance for the selection and implementation of an effective ISMS. In effect, ISO 27002 is the second part of ISO 27001.