• Home
• About
• News
• Request a Quote & Apply Now
• Certification & Standards
• Certification Marks
• Publications & Checklists
• Purchase Standards
• Contact
• Training

We’ve all heard the story about a trusted financial institution reporting an unauthorised release of personal information, or perhaps the rumour that a government department has lost a critical back-up tape?

In terms of your business, how much protection do you have?  How much is enough? What level of information security do we owe our customers, staff, stakeholders and regulators?

There is a simple answer: ISO 27001 Information Security Management Systems.

1.0  What is ISO 27001?

ISO 27001 has been available for a number of years, initially as AS/NZS 4444 and then subsequently as AS/NZS 7799. In 2005 it was released as an internationally recognised standard. In Australia, it was adopted as an Australian Standard AS/NZS ISO 27001:2006.

ISO 27001 is recognised around the world.  Over 6000 certificates have been issued globally and this is increasing rapidly as the value of certified systems are implemented.

2.0  What type of organisation should consider implementing ISO 27001?

ISO 27001 is suited to any organisation that manages assets - data, people, software and intellectual property. This includes government departments (or their critical suppliers such as mailing houses, or data warehouses), energy providers and utilities, banks, insurance companies and corporates across all sectors of the economy.

3.0 Do you really need an Information Security Management System (ISMS)?

If TRUST, REPUTATION and BRAND are an integral part of your business then it is essential to consider the management of the information with which you are entrusted. Increasingly you must take responsibility for your processes, even when these are outsourced.

4.0  What risks does ISO 27001 consider?

ISO 27001 is a practical, internationally recognised benchmark that relies on assessing and managing risk to manage information and asset security. The system, as with all systems should be implemented to reflect the needs of your organisation and consider the current processes, size and structure. The identification and rating of threats and vulnerabilities (including logistics, servers, network management and third parties such as contractors, internet service providers and HR), are a key underlying requirement of the standard.

ISO 27001 should be viewed in combination with ISO 17799 which lists 11 control objectives and over 100 specific controls that an organisation should consider. These control objectives include:

1.    Security Policy
2.    Organisational Information Security
3.    Asset Management
4.    Human Resources Security
5.    Physical and Environmental Security
6.    Communications and Operations Management
7.    Access Controls
8.    Information System Acquisition, Development and Maintenance
9.    Information Security Incident Management
10.    Business Continuity Management
11.    Compliance

The ISO 27001 standard is aligned with ISO 9001:2000 and ISO 14001:2004, supporting easy integration with existing management systems.

5.0  The Steps to Certification : Implementing ISO 27001

5.1  Step One: Scoping Workshop

A Scoping Workshop is an option favoured by organisations that have identified a business requirement such as ISO 27001 and are aware that implementation within the organisation will be significant in structural or investment terms. It allows you to gain a feel for the implications, possible outcomes and benefits, and importantly, consolidate senior management understanding and commitment.
The Scoping Workshop approach includes a review of your current business model, the inherent risk profile (against ISO 27001) and current related processes.

During the working session NCS International facilitators will:
•    Map your current approach and work with your team to develop a plan to enhance the system business model
•    Outline the benefits of implementation
•    Develop an implementation calendar either product-by-product or systems-based
•    Consider audit options, including depth of audit and duration of each audit component.

5.1.1  Workshop Outcomes:
At the end of the workshop we aim to generate a phased action plan incorporating:
1)    A map of the current system and inclusion of planned enhancements against current system methodology
2)    A plan to manage business information security risks either product-by-product or systems-based
3)    An agreement on audit protocols including depth of audit and the duration of each audit component.

5.2  Step Two: Gap Analysis

A Gap Analysis approach often proves an invaluable tool in determining system implementation maturity and audit readiness. The methodology applied by NCS International includes a review of your current system, and identification of specific gaps against the Standard.

Importantly, prior to undertaking a Gap Analysis, our audit team will contact your  identified management representatives to familiarise themselves with organisational priorities, objectives and expectations so that the Gap Analysis proves beneficial and aligns with an organisations’ goals for the roll-out of the system.

5.3 Step Three: ISMS Implementation

Before you implement the ISO 27001 Information Security Management System, NCS International will work with you to develop a capability statement describing the scope of your ISMS.  This is fundamentally at your discretion however consideration should be given to starting small and specific and expanding the scope of the certification as your system matures. Once prepared, your organisation will then have the framework and the key information to implement its ISO 27001 Information Security Management System. 

Implementation is the responsibility of the organisation, though suggestions may be offered to assist your understanding of the requirements of the standard and its applicability and alignment with your organisational.

5.4 Step four: NCSI Certification

External recognition of your achievement, including an independent and objective assessment of the management system against the requirements of the standard, is a vital ingredient in demonstrating to your internal and external stakeholders that there is a robust management system in place. The certification team will include experts that are aligned to your business requirements. Certification Audits are undertaken in a three year cycle including an initial certification audit and subsequent periodic audits to verify that the integrity and effective operation of the system is maintained.

6.0  The final word on Information Security

Organisations can no longer rely only on their IT department to ensure that information security is managed effectively.  IT systems are just one business tool which help to deliver an outcome.  Taking ownership of this issue by reviewing your information security status is the first step to implementing a strong system to ensure that your Board, Senior Management, staff,  customers and stakeholders can be confident that the risks you have are managed professionally and appropriately.
 
Find out how robust your information and asset security is – book a Scoping Workshop or Gap Analysis today through info@ncsi.com.au or call 1300 856 554 and speak with Robert Schonberger, NCSI’s Information Security Product Manager.

Think it can't happen to your system?  Think again!