Professional Documents
Culture Documents
ISO 27001: The Facts: Protect - Comply - Thrive
ISO 27001: The Facts: Protect - Comply - Thrive
The facts
An ISMS is a systematic approach to managing data in a secure way and includes people, processes and
technology.
Organisations that adopt ISO 27001 can be certified by an independent audit body, thereby presenting evidence
to clients and stakeholders that they comply with international information security management best practice.
Through its comprehensive approach to information security, ISO 27001 presents a practical and effective method
of achieving demonstrable compliance with a range of international data privacy laws, including the GDPR, the
NYDFS Cybersecurity Requirements for Financial Services Companies and the NIS Directive.
Other benefits
An ISMS helps to protect an organisation's information in all its various forms, including:
Once the risk assessment has been conducted, the organisation needs to decide how it will manage and mitigate
those risks. It then needs to decide how to manage the risks based on allocated resources and budget.
3
the risk with a third party, e.g. an insurance company via an insurance policy.
Share
4 the risk. This decision can be made if the risk assessment finds that the cost of reducing
the risk in other ways (including terminating it) would be greater than the damage the
Retain risk could inflict upon the business.
Controls to mitigate risk
ISO 27001 recommends a set of controls that are designed to mitigate information security risks; however, an
organisation can use other control sets too. There are 114 controls in Annex A, covering the breadth of information
security management. The 14 control sets are:
One aspect of reviewing and testing is an internal audit, which requires the ISMS manager to produce a set of
reports that provide evidence that risks are being adequately treated.
An even more effective way that an organisation can obtain the assurance that its risk treatment plan (RTP) is
working as intended is by obtaining accredited certification.
Certification means that an independent auditor, appointed by an official certification body, will audit the ISMS to
establish whether there are any nonconformities that need to be addressed. The auditor will conduct a detailed
assessment of the ISMS, interview key staff members, and review various documentation and reports such as the
Statement of Applicability (SoA), RTP and information security policy. Based on the outcomes of the audit, the
company will be able to obtain certification that is valid for three years.
You will either need to have the internal capacity to lead the
Develop or source the project or appoint an external professional with proven
necessary expertise experience of implementing an ISMS who understands the
requirements of ISO 27001 compliance.
For more information, download our free green paper: Implementing an ISMS: The nine-step approach .
What does a typical ISMS implementation project cost?
Although costs vary from company to company based on the size and complexity of the organisation and the
preferred ISMS implementation approach, IT Governance’s annual global ISO 27001 survey reveals that
organisations spent between £5,000 and £20,000 on the total project, excluding certification fees.
“Having ISO 27001 certification is important to us for two reasons. First, it gives our customers and prospects
confidence that when they entrust us with their information, that we have been independently assessed to be able
to keep that information safe. Secondly, the ISMS is simply good practice for a business like ours, it provides an
effective framework for running an organisation well.”
Andrew Saunders, operations manager, VoiceVault
“As we’ve grown we’ve wanted to demonstrate that we deliver world-class security, and the best way to do that
was to ‘get the badge’ and let the world see we’ve got it. It’s something that allows us to toe the line in order to
compete.”
Steve Carroll, managing director, Healthcode
Read more about the importance of using accredited certification bodies to ensure that your certificate is valid and
authentic.
The average length of time for an ISO Secure your supply chain
27001 certification project is 6-12 months*
The proliferation of cyber attacks and data breaches is
The time it takes to achieve ISO 27001 certification driving a need for greater information security assurance
can vary depending on the size of the organisation, throughout the supply chain. By providing a globally-
the scope and complexity of the project and the accepted indication of your information security
availability of resources. management, ISO 27001 certification significantly
reduces the need for repeated supplier audits, lessening
Small companies with a single office location and few the number of external audit days, and presents
staff may be able to achieve certification in less than significant savings in terms of preparatory work when
three months if they rely on external help. entering into contracts.
IT Governance’s annual ISO 27001 Global Report reveals some of the obstacles that information security teams face
when tackling the Standard for the first time.
Executive teams
The requirements
often fail to grasp
of the Standard
the extent of
are not always
information security
easy to interpret.
risks.
We offer a complete set of ISO 27001 products and services in addition to a wide range of other IT GRC disciplines.
This means you can get whatever you need for your project in one place.
Our multi-sector and multi-standard knowledge and experience mean we can help you implement an ISMS quickly
and easily, no matter where your business is located.
Combined with our deep industry expertise and practical approach, we can provide advice, tools, DIY solutions, in-
depth training, easy access to online consultancy (billed by the hour) or full-service consultancy support to help you
tackle any obstacle during your ISO 27001 journey.
How IT Governance can help: cost-effective resources
IT Governance is a leading global provider of IT GRC solutions. We advise global businesses on their most critical
issues and present cost-saving and risk-reducing solutions based on international best practice and frameworks.
Consultancy
Our management team has led ISO 27001
implementations since the inception of the
Standard, when two of our directors led the world’s
first successful certification of an ISO 27001 ISMS.
To date, we have helped more than 600
organisations with their ISO 27001 implementation
and certification projects.
Training
We are an acknowledged leader in ISO 27001,
information security, data protection and business
continuity management training, and offer industry-
leading, ISO 17024-certificated qualifications to
implement and audit an ISO 27001 ISMS.
“IT Governance gave us the confidence to accelerate the process of gaining certification which we achieved
thanks to their help in line with project timescales.”
Carl White, service manager, Lanware
Why IT Governance?
• IT Governance is considered the global authority on ISO 27001 implementation and our management team led
the world’s first successful certification to ISO 27001.
• We’ve helped more than 600 organisations implement and get certified to ISO 27001.
• A wide range of tools and solutions put you in the driver’s seat, often eliminating consultancy fees.
• You benefit from real-world practitioner expertise, not just academic knowledge.
• We can help small organisations achieve ISO 27001 certification in just three months.
• We are independent of vendors and certification bodies, and we encourage our clients to select the best-fit
supplier of independent certification services for their needs and objectives.
Our credentials
IT Governance is widely recognised among certification bodies as a leading consultancy.
ITGovernanceEU