Title: BS / ISO / IEC 27001:2005
– Information Technology -
Security Techniques - Information
security management systems
- Requirements.
nqa
delivering world-class
performance
Information Security Management Systems
ISO 27001:2005
What is ISO 27001?
ISO 27001 is the international standard for Information
Security Management Systems (ISMS) based largely upon
the previously adopted BS 7799 used commonly since 1995
for managing information security.
ISO 27001 provides the framework for a technology
neutral, vendor-neutral management system that enables
an organisation to assure itself that its information security
measures are effective. This includes the continued
accessibility, confidentiality and integrity of its own
information and that of its stakeholders as well as legal
compliance.
Implementation of ISO 27001 is an ideal response to legal
requirements and potential security threats such as:
Vandalism / terrorism
Fire
Misuse
Theft
Viral attack
ISO 27001 is structured to be easily compatible with other
management systems standards such as ISO 9001 and ISO
14001. Whilst there are some clause numbering differences,
common elements include documentation, review and audit
requirements, enabling an organisation to develop a largely
integrated management system.
Whilst modern communication mediums mean that most
ISMS systems are focused on ICT, ISO 27001 is equally
applicable to other forms of information, such as paper
records, images, and even conversations.
Who is ISO 27001 applicable to?
ISO 27001 is applicable to any organisation where the
misuse, corruption, or loss of its business or customer
information could result in major commercial prejudice.
NQA has registered organisations to ISO 27001 in sectors
as diverse as storage and warehousing, secure destruction,
telecommunications, advertising, financial outsourcing and
software development.
Contact us: 08000 522424 | enquiries@nqa.com | www.nqa.com
What are the benefits of certification?
Customer satisfaction – by giving confidence that their
personal information is protected and confidentiality
upheld
Business continuity – through management of risk, legal
compliance and vigilance of future security issues and
concerns
Legal compliance – by understanding how statutory and
regulatory requirements impact the organization and its
customers
Improved risk management – through a systematic
framework for ensuring customer records, financial
information and intellectual property are protected from
loss, theft and damage
Proven business credentials – through independent
verification against recognized standards
Ability to win more business – particularly where
procurement specifications require certification as a
condition to supply
How to gain registration?
The process of registration follows three simple steps:
Application for registration is made by completing the
application questionnaire
Assessment is undertaken by NQA – the organisation
must be able to demonstrate that its ISMS has been fully
operative for a minimum of three months and has been
subject of a full cycle of internal audits
Registration is granted by NQA and maintained by
the organisation. Maintenance is confirmed through a
programme of annual surveillance visits and a three
yearly re-certification audit.
 nqa Initial Certification Audit Contact us
delivering world-class Stage 1 – the purpose of this visit is to confirm the For more information about this service, contact our friendly
performance readiness of the organisation for full assessment. The team today. We will be pleased to help you.
assessor will:
confirm that the quality manual conforms to the
requirements of ISO 27001
confirm its implementation status
confirm the scope of certification, statement of
applicability and any exclusions
check legislative compliance and review risk assessment
produce a report that identifies any non-compliance or
potential for non-compliance and agree a corrective
action plan if required
produce an assessment plan and confirm a date for the
Stage 2 assessment visit
Stage 2 – the purpose of this visit is to confirm that
the quality management system fully conforms to the
requirements of ISO 27001 in practice. The assessor will:
undertake sample audits of the processes and activities
defined in the scope of assessment
document how the system complies with the standard
report any non-compliances or potential for
non-compliance
produce a visit plan for the first surveillance visit
Please note that if any major non-conformance is identified,
the organisation cannot be certified until corrective action is
taken and verified.