ISO 27001 – What Does It Mean?
Posted 3 November 2015 by Neil Clark
In an ever-increasing age of security awareness and media exposure of careless information handling, the protection of data is critical. Certification to ISO 27001 is increasingly a “must have” for a lot of customers, but what does this actually mean?
ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes. In brief – we are trying to ensure the continual protection and improvement of three key factors: Confidentiality, Integrity and Availability.
This standard was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system" and is implemented using a top down, technology-agnostic risk-based approach. The specification defines a six-part planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
It incorporates details for documentation, management responsibility, internal audits, continual improvement and corrective / preventive action.
A key aspect of ISO 27001 is to implement appropriate management support and systems, ensuring a continual improvement programme is in use to provide visibility of risks, vulnerabilities and threats throughout the business. It is important to remember that Information Security is not a “fix and forget” system, it is a living, breathing integral part of the way a compliant organisation operates.
Blue Chip took the decision to align its Cloud Service division with ISO 27001, identifying the following scope: “Blue Chip Hosting Department providing and maintaining hosted services for Blue Chip Data Systems Ltd, including Colocation, Infrastructure as a Service (IaaS), Software as a service (SaaS) and Network as a service (NaaS) on which solutions are built.” In simple terms this means that all of the Cloud Services offered by Blue Chip are covered by this Standard.
To achieve UKAS (United Kingdom Accreditation Services) accreditation, the Blue Chip Cloud Services department was externally audited to the highest standard by URS (United Registrar of Systems). Moving forward, we are required to sit annual external audits to keep our accreditation.
The journey to ISO 27001 has been one which we’ve found both challenging and rewarding. There’s an obvious value to us and our customers in having achieved both and a continual effort to maintain the high standards that we’ve aligned ourselves to. We look forward to bringing you updates on our progress and re-certification in the coming months.
Back to blogs