ISO/IEC 27001 is an International Information Security Management system (ISMS) Standard which was first published in October 2005 before being revised and updated in 2013. Along with ISO 27002 (Code of Practice), ISO 27001 provides organisations with a best practice framework for managing their information security. Achieving certification, entailing an external assessment of the ISMS by a certification body, provides you with the most effective means of demonstrating your information security commitment and capabilities to clients, internal and external stakeholders.
One of the key features of ISO 27001 is that it is risk based. The implementation of controls (technical measures, policies, processes etc.) is not prescriptive but is determined by an information risk assessment taking into account your risk appetite and the information you are seeking to protect. The goal with ISO 27001 is achieving an optimum balance, where the mandatory management system requirements of the Standard are being met while ensuring that your ISMS is tailored as fully as possible to your organisation's size, culture and business objectives.
Achieving this optimum balance is where Liit and our partners excel. We are able to ensure that you gain maximum benefit from implementing ISO 27001 by virtue of our experience (150 plus certifications), consultancy expertise (all ex-information security managers with real world experience and understanding of the challenges you face) and our purpose-designed risk management tool (Abriska). Our consultancy services come not only with a 100% certification guarantee, but with the assurance that any implemented ISMS will be tailored, appropriate and sustainable. Liit's ISO 27001 consultancy services are also totally flexible and our consultants can provide guidance and knowledge transfer across the full lifecycle or specific areas, such as assisting with risk assessments, policies and procedures, awareness and education, and compliance with legislative and regulatory requirements, including the Data Protection Act. Support will be tailored to your specific requirements and is often dependent upon your internal expertise and its availability, timescales and budgets. Liit and our partners also have a team of highly skilled and experienced auditors.
If you are looking to comply or certify with ISO 27001, we can provide you with two free sources of practical advice. Liit and our partners have combined together with BSI (the UK's No. 1 Certification Body) to deliver half-day ISO 27001 implementation seminars which provide real-world insights on pitfalls to avoid and hints and top tips for ensuring a successful outcome. The contents of these seminars is based on the cumulative experiences of our partners and BSI implementing and assessing hundreds of ISMS' over the last 10 years and the focus is on 'how to' certify.
In addition to attending free ISO 27001 seminars which are held approximately every 6 weeks across the UK, you can also take advantage of Liit and our partners free ISO 27001 health checks. The half-day health checks are aimed at organisations looking to certify to ISO 27001, which are looking to benchmark what they currently have in place against the requirements of the Standard. Following the health check, which is delivered by our senior consultants, you will receive a high-level report and graph indicating the maturity of the key components of your ISMS. The health check provides you with a perfect way of understanding your current compliance status, where your development priorities lie and the likely timescales and resources you will require in order to achieve certification.
BS 10012 is a British management system standard which has been developed to enable organisations to implement a personal information management system (PIMS). This provides a framework for maintaining and improving compliance with data protection legislation and good practice. The framework will help you to manage risks to the privacy of personal data and implement appropriate policies, procedures and controls. In March 2017, BSI updated this Standard in response to the introduction of the European Union General Data Protection Regulation (GDPR). Article 42 of the GDPR encourages the "establishment of data protection certification mechanisms... for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors". This is exactly what BS 10012:2017 is intended to offer.
BS 10012:2017 follows the 'Plan-Do-Check-Act' continuous improvement model and is aligned to ISO Annex SL, adopted by all key management system standards, enabling organisations to integrate their PIMS with other standards, notably ISO/IEC 27001:2013. It is also a standard which organisations can now certify against.
By implementing and certifying your PIMS against BS 10012:2017, you will be able to:
- Demonstrate your commitment to protecting client and stakeholder personal data
- Identify risks to personal information and implement controls to mitigate them
- Use the management system as part of a privacy compliance framework to demonstrate compliance with the GDPR and the revised UK Data Protection Act
- Benchmark and continually improve your management of personal data against recognised best practice
- Protect your reputation and minimise adverse publicity
- Gain competitive advantage when seeking and retaining business.
As stated above, BS 10012:2017 has been drafted using the rules specified for management system standards in the ISO Directives Annex SL and follows the common structure and core text as standards such as ISO/IEC 27001:2013 and ISO 9001:2015.
With its wealth of data protection experience and expertise, Liit and its partners are uniquely placed to assist you develop and implement a Personal Information Management System (PIMS) and achieve certification with BS 10012:2017. These services range from conducting a gap analysis (where one of our consultants will assess your existing PIMS and compare it against the BS 10012 requirement) to full lifecycle services. We can also offer a readiness assessment service for those organisations seeking certification. With the full lifecycle implementation services, Liit and its partners can assist you meeting requirements such as:
- Understanding and documenting the context of the organisation (including determining the scope of the PIMS)
- Demonstrating leadership and commitment with respect to the PIMS (including establishing a PIMS policy)
- Planning actions to address risks and opportunities (including defining a data inventory and data flow analysis process, a Data Protection Impact Assessment (DPIA) process and a risk treatment process)
- Determining and providing the resources needed for the establishment, implementation, maintenance and continual improvement of the PIMS
- Implementing the PIMS (including conducting risk assessments and ensuring the organisation meets the principles and requirements of the GDPR* e.g. to ensure that personal information is processed fairly and lawfully and in a transparent manner)
- Evaluating the performance of the PIMS (including conducting internal audits and management reviews)
- Continually improving the PIMS (including implementing corrective and preventive actions).
*For more information on meeting the requirements of the GDPR, contact us.
ISO 22301 is a Business Continuity Management System (BCMS) Standard which provides the effective means of assuring yourselves and stakeholders of your commitment to business continuity and that you have adopted best practice.
When implementing a BCMS, an essential ingredient is that you are following a process of continual improvement. A key activity within this process is performance evaluation, i.e. is your BCMS operating as you intended and as required? Auditing and review is one of your performance evaluation mechanisms. The auditing process is an ongoing activity, irrespective of whether your organisation is certified or not.
The biggest challenge faced by organisations when it comes to the auditing process is suitable resources; ensuring you have sufficient and suitable resources to manage the audit programme and conduct the audits. Auditors need to have the skills and knowledge sufficient to conduct effective audits. This means that they need to be able to audit specific business continuity processes, e.g. business impact analysis, plans, or exercising, and may need to visit geographically diverse locations in order to put documents in the necessary context. Therefore, auditors need to, not only be available to travel, but also to be able to demonstrate a level of independence from the area being audited. The people most likely to have sufficient knowledge of business continuity and therefore, assuming they also have audit skills, be the most appropriate auditors, often have a conflict of interest and may not be able to conduct the audit. There is also the additional burden of conducting audits of third parties who form part of the supply chain.
Having been involved in various Business Continuity (BC) projects and conducted numerous BC audits both internally and of third parties, we are ideally placed to assist organisations with their auditing activities. We can support the development of an internal audit programme and/or provide access to one of our audit specialists to conduct the audits. Where we conduct the audit, if desired, we will encourage your staff to shadow our auditor as part of our knowledge transfer philosophy.
Naturally, the audits will be bespoke to your organisation and can include the operation of the management system (e.g. document management procedures and corrective actions process) or the business continuity processes (e.g. business impact analysis, plan maintenance or plan exercising).
Our BCMS audit services can also extend to auditing third parties on your behalf e.g. verifying business continuity capability, plans and competencies.
We manage the full ISO 22301 internal audit process for a number of clients and would welcome the opportunity to discuss your requirements with you.