What is ISO 27001 and why would you implement it?
ISO 27001? So, what is it?
it is the International Standard for Information Security Management. Effectively, it provides any
organisation, irrespective of size or sector, with a framework and an approach to protecting one of
the most important assets, i.e. information. ISO 27001 is one of the most adopted international
standards and one of the fastest growing.
Key things you should know about ISO 27001
It is a business standard (not an IT standard) that touches every part of the organisation involved
in processing information. Yes, IT security (e.g., firewalls, anti-virus, change management etc) is
important and has a significant part to play, but it is equally about other areas of the business.
In HR, do you appropriately check your staff and not just when they join? In Facilities, do you
manage access to your premises and can visitors wander around unchallenged? What security
policies do you have, where are they, how do you communicate them? And it´s not just about
focussing internally. It´s important to remember, you are only as good as your third parties;
so how do you communicate your requirements with them and ensure they have the appropriate
controls in place?
Effectively, ISO 27001 provides a complete approach to information security – a set of policies, procedures,
practices, and controls to protect the confidentiality, availability, and integrity of information.
It´s based on the principle of continuous improvement – you may not be where you want to be on day one but
you are continuously reviewing and improving your position.
As a risk-based standard, assessing the risks to your information is at the heart of ISO 27001. You decide on which
controls or measures you need to apply based on a knowledgeable, informed decision –i.e. the risk assessment –
balanced against your risk appetite.
The actual standard comprises 2 parts, mandatory management system sections, common to all Standards, that
you have to do, (e.g. gain top management commitment, manage your information risks, conduct audits, and
management review) as well as Annex A controls which you can implement or not as determined by your risk
Reasons for implementing ISO 27001
Quite simply, it is one of the most cost-effective means of protecting your information, i.e. the mandatory risk
assessment allows you to make informed decisions about what controls/ measures to implement and avoid
ISO 27001 takes a holistic view to identifying all types of information including digital, hard copy, personal,
company, financial etc as well as taking a holistic view to assessing threats from cyber to poorly trained or
unaware staff or ineffective procedures and processes
It embeds good practices into your organisation and enhances your culture
It provides reassurance to your clients and other key stakeholders that you take information security seriously,
particularly when you handle their data. Certification provides a significant extra level of reassurance
The information security management system (ISMS) central to ISO 27001 allows you to constantly adapt to the
changing business and threat landscape. The focus on continual improvement, monitoring, auditing and correcting
ensures controls are constantly updated and work effectively
It helps not just in minimising the risk of security breaches but helps you manage incidents and recover more quickly.
Ultimately, ISO 27001 helps protect your reputation and adds value to your business.
So, why you should partner with URM
Here are a few reasons:
Experience and expertise- We are able to ensure that you gain maximum benefit from implementing ISO 27001 by virtue of our
experience, i.e. we have assisted nearly 200 organisations to achieve certification to the Standard.
Our senior consultants have extensive experience as both subject matter experts working at a senior level within a business and
in their role as consultants advising organisations on best practice to understand what works and what doesn’t and what´s the
best approach to take.
Risk specialists- Without strong risk management, you are literally making decisions in the dark on which information security
controls need to be prioritised and implemented. URM can assist you in developing your risk management capabilities through
consultancy, our purpose designed risk assessment tool (Abriska) and through our training courses.
With the training, you will not only be able to develop your risk management skills but are also gain a practitioner certificate to
demonstrate your competence.
Knowledge transfer approach- Central to our consultative approach is the goal to help you become totally self-sufficient, i.e. for you
to develop your in-house expertise and competencies.
Our consultants are heavily involved in delivering public training courses so come armed with the knowledge transfer skills for you
to learn not just what to do but why and how.
Assurances- Our consultancy services come not only with a 100% certification guarantee but with the assurance that any implemented
ISMS will be tailored, appropriate and sustainable.
Any major nonconformity attributable to work completed by URM will be corrected free of charge. A wide range of case studies is
available on our website and references are available on request.
Flexible and tailored approach – We pride ourselves in tailoring our ISO 27001 consultancy services around your specific requirements,
which may be full lifecycle consultancy where we take the lead and provide knowledge transfer to a light touch approach which includes
mentoring or reviewing outputs.
With the latter, URM may assist with specific activities such as conducting risk assessments, developing policies and procedures, delivering
awareness sessions and conducting audits. Our services can be totally tailored to factors such as internal resource availability, timescales,
Business-led Approach – Your ISMS needs to be just that, yours. Not something that sits on a shelf or you put effort into when an external
assessor is coming but something that is truly business as usual.
Our goal with any ISO 27001 implementation is to achieve the optimum balance, where the mandatory management system requirements
of the Standard are being met whilst ensuring that your ISMS reflects your organisation and is tailored to your size, culture, and objectives.
We always aim to ensure that anything we develop or recommend is appropriate and pragmatic and adds value to your business and that
you do not become a ‘slave to the Standard’ i.e. doing something because the Standard says so as opposed to maximising an existing internal
process or method of working.
A great starting point is to attend our half day ISO 27001 seminar where URM is combining together with BSI (UK’s No. 1 certification Body)
to provide some real-world insights on pitfalls to avoid and hints and top tips for ensuring a successful ISO 27001 implementation and certification.