The Benefits of ISO 27001 Implementation

Dear all

I hope you are all keeping well and safe. It's still very difficult out there, with the economy slowing and it is all due to the coronavirus effect, all we can do is maintain our morals and keep our businesses going with a touch of positivity every now and again. Which, I have to say is not always easy but we have to keep our heads afloat in these strange times. Covid won't kill our businesses if we stay strong and keep taking advantage of the UK Government schemes designed to help us. Let's hope the UK Chancellor can provide as much support as possible going into the winter months.

So onto this week's subject, that of ISO 27001 and the benefits that implementing it will bring. There are many benefits to International Standards and I will get a few benefits over in this blog. Hopefully it will help those in need of implementing this standard at a time when we should be raising our standards to combat this pandemic. Standards are very often put at the back of the queue in times of recession, but it must be noted that when you raise your own internal standards, other good things will follow so I hope you get a little bit of good information out of reading this.

Asset management is a good place to start, IT assets are mainly in the front line of any information security project, the standard asks you to look at your assets and risk assess them with regards to the impact and likelihood of any threats occurring. You should identify the owner of the assets and risk assess them to determine what sort of threats make them vulnerable. Knowing what risks makes them vulnerable allows you to take action on the threats, the asset register, which should be in place to record your assets works in conjunction with your risk assessment.

Risk assessment, this is the primary tool for working out where your threats lie. You have internal threats and external threats and you can decide if they are done on purpose or not. You see, sometimes accidents happen and a person may not deliberately do something to expose an asset or the information contained within. You should decide if the risks are making you vulnerable but it may come from someone doing something unintentionally.

Third parties viewing your system is a good way to progress your systems because another pair of eyes positively scrutinising them from their point of view will strengthen your systems. It's great that auditors come into your business to help you to lower your risks and strengthen your systems. Standards are all about people viewing your business and giving you advice on what to strengthen. It is helpful if the auditor is not negative and acts like a person willing to help and not obstruct. Some auditors can be a bit negative and tend to focus on areas that are not always that important. It is best if you have an auditor that is willing to help you to focus on the positives, rather than being negative.

The controls in Annex A are a great way for you to protect your business; all 130 controls are designed to help you to put barriers up to threats and get you to continually improve whereas you may not have looked at your business in this way before? The controls at Annex A are written more fully in ISO 27002, which explains them in more detail. ISO 27002 is a great standard to use and is most helpful in helping you to achieve ISO 27001.

Residual risk sign off, this is important... if you write down what the residual risks are then you must get someone, usually a director to sign off on them. If you don't present your risks to them they perhaps will not know what is happening in the business, so if you find risks after you have applied controls, best to let people know, then it is up to them if they want to accept the risk or do something about it?

Penetration testing is not sufficiently covered in ISO 27001, so it may be best to get your servers tested to protect yourselves from outside threats. You can do this in conjunction with vulnerability scanning software, which will tell you where your vulnerabilities lie. This in conjunction with a suitable penetration test will tell you what threats you face and tell you what to do about it. Something like Cyber Essentials will help you to do this, but you must be prepared to make a statement on the situation your servers are in. Cyber Essentials plus is a great way to get your systems examined, because someone approved will test your systems and see if there are any concerns.

ISO 27001 is a great tool for lowering your risks and vulnerabilities, use it wisely and it will propel your business into a much safer machine.

Stay safe, hope you enjoyed the blog, if you have any questions go to the ISO help desk at:

Best regards


Steven Burgess is an ISO 9001 and ISO 27001 Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.