ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS), which defines best practice to help companies of all sizes, in any industry and virtually any country, systematically secure their confidential and business critical data.

Each standard is created by a technical committee made up of subject matter experts, including industry representatives, research organisations, government departments and consumers. The outcome is a set of detailed criteria, definitions, and guidelines that provides a comprehensive framework to help organisations implement a coordinated approach to information security.

ISO/IEC 27001 Information Security Management

WHAT IS AN INFORMATION SECURITY MANAGEMENT SYSTEM?

Implementing a robust ISMS is a proactive and systematic approach to managing risk and securing confidential and commercially sensitive information to protecting it from potential cyber-attacks and data breaches.

Introducing controls across people (education and training), process (policies and procedures) and technology (systems and software), an ISMS enables organisations to effectively manage and mitigate risk; safeguard information assets; maintain data integrity and confidentiality; and ensure legal and regulatory compliance.

Peace of mind:

Certification ensures confidential data is secure, which may include financial records, intellectual property, personal data, and other commercially sensitive information, as well as employee and customer records.

Globally recognised:

With more than 165 member countries, ISO/IEC 27001 certification sets a benchmark for best practice and is recognised all around the world, quickly and easily demonstrating your organisation’s commitment to information security.

Compliance:

Enhances your company’s brand and builds trust and confidence. Certification reassures existing or potential customers and stakeholders that you are committed to industry best practice and continual improvement.

Enhances reputation:

Certification builds trust and confidence in your company and reassures existing or potential customers and stakeholders that you are committed to safeguarding data.

Competitive advantage:

Certification can increase commercial opportunities and enable your company win additional business and new customers from competitors who are not certified, or where certification is mandated for suppliers.

Security awareness and business continuity:

ISO/IEC 27001 certification promotes far greater information security awareness amongst staff and a culture of security throughout the business, which means greater vigilance. By reducing the number of incidents disruption to day-to-day operations is minimised.

Cost savings and efficiencies:

The cost of implementing ISO/IEC 27001 is likely to be minimal when compared to the potential financial impact of a breach. Business operations are also streamlined as policies and procedures are clearly defined and documented.

Futureproofing:

The framework helps your business to continually review potential risks and weaknesses and implement appropriate controls that improve the way you manage your organisation’s information security.

WHAT ARE THE BENEFITS?

ISO 27001 CERTIFICATION PROCEDURE

Implementation includes full gap analysis & review alongside regulatory compliance & industry standards. We assist with development of policies & processes and staff training.

Implement your ISO Management System

We will assist with internal audits and actively support you during the stage 1 and stage 2 certification audits.

Certification

Audit

Post certification we will help you to successfully maintain your certifications. With internal audits, management reviews, compliance for surveillance audits and re-certification.

Ongoing Support

We establish the size & scope of the project by working with you to understand your overall business needs, your expectations and how implementing the ISO standard can help you. We also take a look at your existing certifications to identify opportunities to integrate management systems & lower your total cost of ownership.

Initial Review

Fortis simulates the certification audit and performs a full review of your company’s scope, policies, processes, and procedures. Then reviews and remediates any gaps before your official UKAS certification body audit.

Pre-Assessment

You are now a certified business!

Congratulations!

UKAS ISO Certification Achieved and Formally Awarded for Certification

LEVELS OF SERVICE

IS THERE A SIMPLER ROUTE?
  • Cyber Essentials
  • Cyber Essentials Plus
  • IASME Cyber Assurance
  • ISO/IEC 27001

Achieving ISO/IEC 27001 certification is a rigorous process and depending on the type and size of the business and amount of data processed, there may be a different cyber security standard that is better aligned to your organisation’s needs.

SPECIFICS OF ISO/IEC 27001 CERTIFICATION
  • Context: Understanding your organisation and its context, assessing the needs and expectations of stakeholders, determining the scope of your ISMS.
  • Leadership: Establishing and communicating an information security policy and setting objectives, ensuring roles and responsibilities are correctly assigned, demonstrating leadership and commitment to your organisation’s ISMS.
  • Planning: Carrying out an information security risk assessment process, reviewing risks and opportunities that need to be addressed in order to effectively implement, manage, and improve your organisation’s ISMS.
  • Support: Reviewing the resources and competencies needed to effectively implement, manage, and improve your organisation’s ISMS.
  • Operation: Planning, implementing, and controlling the processes needed to meet the outcomes of the information security risk assessment.
  • Performance Evaluation: Monitoring, measuring, analysing, and evaluating the effectiveness of your organisation’s ISMS.
  • Improvement: Identifying nonconformities and any associated corrective actions, continually improving the suitability, adequacy, and effectiveness of your organisation’s ISMS.

The information security controls to which your organisation needs to be compliant to achieve certification are broken down into the following four key areas:

  • Organisational controls e.g policies, roles and responsibilities, threat intelligence, access rights, identity management.
  • People controls e.g. screening, remote working, employment terms and conditions, confidentiality.
  • Physical controls e.g. securing offices, storage media, security of assets off-premises, equipment maintenance.
  • Technological controls e.g. configuration management, malware protection, network security, secure authentication.