You’ve made the decision to implement ISO 27001 or at least align to the standard. Now what…
When we begin an engagement, we always look to understand why an organisation wants certification and to ensure that they have full support of the senior leadership team. Understanding these two points are key as it ensures the correct budget, timeframe, resource and support is in place and planned before any implementation activities begin.
The ISO 27001 standard is not prescriptive – it doesn’t tell you “how” to do something. Whilst some may consider this to be problematic, it is actually a benefit. This means you can implement an Information Security Management System (ISMS) that is designed to work for, and with your business regardless of size or sector.
The standard does include a list of possible information security controls referred to as Annex A. Although these are not mandatory, they form a broad set of controls which could be implemented. Controls will be selected by risk assessments and other reasons such as regulatory and/or contractual requirements.
The team at Shift Key Cyber have carried out numerous ISO 27001 implementations over the years, and whilst all have their similarities and their differences – no two have been the same.
Our approach is to work with your team to gain an understanding of your business from both a strategic and operational standpoint. This allows us to ensure all relevant aspects of the business are included in the ISMS as well as identifying any interdependencies that may exist.
It is important to note that ISO 27001 certification is not a one size fits all, implementing the standard is just the start. It requires regular maintenance to ensure it continually improves as your business develops.
If you’d like to know more about implementing or aligning to ISO 27001, book a free consultation and we’ll be happy to help.
