You are on page 1of 3

Technical Whitepaper

The benefits of ISO 27001

Key benefits

ISO 27001:2013 is the standard for Information It improves enterprise security


Security Management; it is part of the ISO 27000 Whether the organisation using ISO 27001
family of standards which helps organisations keep decides to go for full certification or not,
information assets secure. Adopted by thousands ISO 27001 brings with it a systematic examination
of organisations across the world, its implementation of the organisations information security risks,
puts in place a systematic approach to managing taking account of the threats, vulnerabilities and
sensitive organisational information, ensuring it impacts that are unique to that organisation.
remains both secure and available. It is a broad It provides a framework for the selection and
standard covering process, personnel, physical implementation of a coherent suite of information
and technical security. security controls and/or other forms of risk
ISO 27001 specifies the requirements for establishing, treatment to address those risks that are deemed
implementing, maintaining and continually improving unacceptable to that individual organisation.
an Information Security Management System (ISMS). It also brings with it a continual improvement
There are three key issues to note about the standard: ethos to ensure that the risk treatments continue
1. Its generic requirements mean that it is applicable to meet the organisations individual information
to all organisations, regardless of size, type or nature. security needs on an on-going basis.
However, you tailor it to the exact needs of your It is an independent, unbiased measurement
organisation through the information security of the actual information security state
controls that you select to implement within
your Information Security Management System. One of the major drivers for organisations to
work towards certification is that the standard
2. It takes a flexible, risk-driven approach. provides an internationally recognised, externally
3. It is dynamic it focuses on continual improvement assured, quality mark for Information Security
and helps the organisation keep ahead of changes Management. ISO 27001 is the industry yard stick
both within and outside the organisation. that most Information Security Management
There are a number of clear business benefits activity is measured against.
in adopting ISO 27001, either as best practice External assurance is provided to both the
or by formally certifying against it. This whitepaper customer and the organisations management
explores those benefits and outlines the steps on the actual state of the organisations
towards achieving certification. Information Security Management System.
External, qualified ISO 27001 auditors impartially
review and assess the organisations Information
Security Practices, policy procedures and their
operation against the standard.
This provides a clear, unbiased, scientific view
of the actual state of the present Information
Security Practices.

2015 Capita PLC All rights reserved


2015 Capita PLC All rights reserved
Technical Whitepaper

It increases customer confidence The process of creating the documentation


takes the organisation through a number of vital
ISO 27001 certification gives service consumers and
steps, including:
customers an easily recognisable security hallmark.
Using the ISO 27001 logo on company literature  nderstanding the organisations security
U
is a continual reminder to potential and existing customers landscape and practices
that demonstrates commitment to information security Identifying the business drivers for implementing
at all levels of the organisation. The certification and maintaining an effective Information Security
demonstrates credibility and trust. Management System and the benefits
It reduces customer and supply chain audit of achieving ISO 27001 certification
ISO 27001 certification reduces third party scrutiny  efining the scope of the Information Security
D
of your Information Security Management by customers Management System and the risk management
and the wider supply chain. It provides assurance to approach you will take
customers that their information is appropriately protected S electing the appropriate information security
and, as such, reduces the need to undertake time consuming controls from the standard in order to create
and costly onsite security audits reducing time and cost for a Statement of Applicability (SoA)
both parties.
 sing the Statement of Applicability (SoA) to
U
It provides market differentiation create a risk treatment plan, which describes your
Holding an ISO 27001 certification is an increasing information security objectives and how you will
requirement to do business in many different verticals, achieve them
especially when processing any type of personal or sensitive P utting in place effective information security
data. The achievement of ISO 27001 will differentiate two awareness and training programmes
competing organisations in the market place, providing
a valuable competitive advantage. Whether or not you choose to apply for
certification, these steps will provide your
Increased legislative and regulatory compliance organisation with:
ISO 27001 supports compliance with relevant laws such  clear strategic approach and management
A
as the Data Protection Act 1998 and software copyright commitment to information security with defined
legislation. This in turn reduces the risk of facing information security objectives
prosecution and fines.
S pecific information security
An organisations liability in security incidents may responsibilities defined
be reduced if it is certified ISO 27001 compliant. Under
the Data Protection Act 1998, organisations are obliged E stablished Information Security Management
to have an institutional framework designed to ensure System processes that are repeatable and that
the security of all personal data. As ISO 27001 is the drive continual improvement
current international benchmark for Information Security  clear approach to risk assessment
A
Management, it is increasingly recognised that and management
compliance with the standard is supportive evidence E ffective information security
of adequate security. awareness programme(s)
Considerations and outcomes
To achieve ISO 27001 certification, an organisation must
produce documentation that demonstrates that it has
developed an Information Security Management System
that complies with the standard. Organisations should
consider producing most of this documentation even if they
are not going for certification as it provides a best practice
approach for compliance as well.

2015 Capita PLC All rights reserved


2015 Capita PLC All rights reserved
Technical Whitepaper

The certification process


ISO 27001 certification involves two audits, each
undertaken by an independent external auditor.
Stage one: Desktop documentation audit
This involves an assessment of your documented
Information Security Management System to
determine whether your documentation meets the
requirements of the standard. You will be advised of
any problems and will have the opportunity to rectify
them before being reassessed. Once the auditor is
satisfied that the documentation meets the standard,
you can move on to the second audit.
Stage two: Implementation audit
This audit involves assessing whether your
implementation of your Information Security
Management System conforms to your
documentation. Again, if the auditor finds errors with
your implementation, you will have the opportunity
to take corrective action and then be reassessed.
If the auditor is satisfied with his/her findings you
will be granted ISO 27001 certification.
Your certification is maintained through annual
surveillance audits and a full assessment every
three years.
Capita provides a complete service to assist
clients with ISO/IEC 27001, from assessing
current compliance to preparing for certification.
Offering a Security Consultancy that is itself
certified to ISO/IEC 27001, we fully understand
what is required to achieve certification and,
importantly, how to maintain it.

Nathan Cooper
Lead Information Security Consultant

For further information about these services please contact:


Email: marketing.itps@capita.co.uk | Tel: +44 (0) 8456 077466
www.capita.co.uk/itprofessionalservices
2015 Capita PLC All rights reserved
2015 Capita PLC All rights reserved