ISO 27001:2005

Achieving ISO 27001:2005?

ISO 27001, titled ‘Information Security Management Systems’ (ISMS), is the replacement for the original document, BS7799-2. The basic objectives of the standard are to help establish and maintain an effective information management system using a continual improvement approach and assist businesses and organisations throughout the world to develop best-in-class information security.

Most organisations have a number of information security controls. Without an ISMS, however, the controls tend to be somewhat disorganised and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. The standard defines its 'process approach' as "The application of a system of processes within an organisation, together with the identification and interactions of these processes, and their management".

The Challenge

After achieving ISO 9001:2008, we were a little more confident about working on this project. We knew from the outset that the standard would involve a great deal of commitment from the entire team if we were to achieve certification. We faced a number of challenges including:

• Achieving team “buy in”, as the introduction of an ISMS involves huge cultural changes in the way an organisation operates



• Getting the team to think beyond electronic information and consider the physical security of our building, paper documents and electronic information



• Getting the team to think of information security as an integral part of the daily business and not as an additional burden



• The commitment and inputs from senior managers to help maintain momentum in driving this project forward



• Spreading the knowledge and particularly the jargon used in ISMS across the team



• Making information security management a team-wide responsibility and not just the preserve of the IT department
  
• Keeping the project moving forward during the implementation process and before the all important audit certificate was granted!

The Solution

Using our experience of ISO 9001:2008 certification, we created a step-by-step procedure, which worked as follows:

• We created a core team for the project



• We organised awareness and training programmes for all team members



• We defined the information security policy and our objectives, and listed down all our information assets



• We identified the risks and threats to all the information assets and worked out a strategy for risk mitigations



• We strengthened our physical and information security from all the aspects by implementing ISMS controls



• We carried out rigorous internal audits and brainstorming sessions to achieve the standard

The Outcome

In July 2009, Shergroup achieved its ISO 27001:2005 certification. We were issued with a certificate, valid for three years, by the British Standards Institution for successfully implementing the Information Security Management System.

The Ongoing Benefits

As a result, we believe we have not only achieved the standard but also a number of other benefits including

• The enhancement of our business partners’ confidence in and perceptions of our organisation



• Knowing that our clients’ data is safe and that we can handle their information to the highest possible standard of professionalism in a controlled and organised way



• Creating formal policies and procedures in managing and handling information within an acknowledged framework, which is communicated to our entire team



• Recognising the risks to information security and ensuring through our policies and procedures that we have clear processes to identify assets, and understand how to deal with risks, threats and other vulnerabilities in a positive way



• Improved team development and motivation through responsibility, awareness and ongoing training in the area of information securit
  
  
  

Our Quality Standards