ISO/IEC 27001:2013 provides a standardised approach to manage information security proactively allowing you to identify and manage your information security risk. It is an international management system standard published by the International Organisation for Standardisation (ISO)
It provides a framework for protecting your information assets and demonstrates to interested third parties, clients and vendors that you secure their information appropriately
An Information Security Management System (ISMS) is a set of policies, processes and procedures which enables you to proactively manage risk to your key information assets which is made up of a set of standardised policies, processes and procedures designed to help you identify what information needs to be protected, what type of protection your require and what mitigating actions can be taken to address any identified risks
There are many ways your UK business can be impacted by failing to protect your information and the consequences can potentially be catastrophic. Just for reference, in Europe a failure to protect Personally Identifiable information (PII) of your employees or customers could result in your business being prosecuted under the GDPR (General Data Protection Regulation). This carries with it fines of up to 4% of your global turnover, or 20 million euros whichever is the higher.
In addition, if a failure to protect information becomes public knowledge, it can also lead to negative publicity damaging both brand and reputation, impacting your ability from being able to future generate additional revenue
Implementing an ISMS based upon 27001 will help your business identify where abouts your greatest risks are and for you to deal with them appropriately and reduce the likely hood of significant impacts occurring
To provide reassurance to your customers and third parties, you are able to seek independent certification to become accredited for ISO 27001 compliance. This is a process whereby an assessment of your ISMS is undergone by a UK accredited certification body, which when attained shows you are able to provide evidence you meet the requirements of the standard putting your business ahead of the game from your competitors who aren’t compliant
There is no direct legal requirement and the decision to implement ISO 27001 is mainly benefit based, however you should review any contractual obligations you may have for protecting the information of clients and other stakeholders data. There is becoming an increase in trend where customers require third party suppliers to implement or certify to ISO 27001 thus making it a legal requirement by way of a contract
All UK companies are different as it depends on the size and complexity of your business as well as which existing systems are in place and the resources available. A small non-complex business typically should be able to attain ISO 27001 compliance in 6 to 9 months, with larger more complex environments, often being somewhere between 9 to 18 months
Should your business want to become ISO 27001 compliant and require assistance in implementing security changes, please contact us and we will be more than happy to assist