ISO:27000 Information Security Compliance
Is ISO:27001 security certification achievable for a small business?
We visit many organisations of various sizes during the course of our work. Where these provide service to customers who request assurance over the security of their data, we find that there is a general appreciation that ISO:27001 certification can help this. However, we also hear that the standard is too hard or expensive or time consuming to achieve.
There are three points that we need to highlight:
- You don’t need to certify the whole organisation, just the area that the customers are concerned about. You can set the scope of the certification to just cover the customer-facing systems, meaning your back office processes, (HR, finance, etc.) don’t need the same level of security scrutiny or control applied;
- ISO:27000 isn’t about being as secure as Fort Knox, or even about being secure, it is about setting up business processes to understand security and mitigate risks where they are of concern. Where risks are acceptable, no security controls are required. To gain certification you will need to evidence that information security is properly understood and taken seriously by your organisation, not that security controls lock down all facets of business activity;
- Rome wasn’t built in a day. We help and support implementation of the standard over time, allowing you to own the process, develop controls at your own pace and consider how best to manage and control the process.
We have helped a number of our clients in development of their Information Security Management System (ISMS), which is the business process that is audited during ISO:27001 certification. This has included developing the minimum required policies and facilitating security group meetings to support development of requirements such as asset registers, risk registers and monitoring / improvement processes to support development of appropriate security controls throughout the business.
We perform a facilitation and implementation role for our clients. The final certification audit will be carried out by an auditor from a certified body, and this usually takes around 2 days (dependent on the size of your organisation).
If you would like more information, feel free to contact us.