ISO 27001:2013, Information technology – Security techniques – Information security management systems – Requirements

What is ISO 27001? ISO 27001 for Information Security Management Systems requires organisations to adopt a risk based approach to the security of all information. ISO 27001 is not a prescriptive document, rather it is intended to enable organisations to ensure the security of information through the assessment and treatment of information security risks, documented in a Statement of Applicability.

Information Security Management System Requirements – Information Security Management Systems (ISMS) require organisations to:
• identify information security risks
• understand external & internal issues, and interested parties, relevant to information security
• develop an Information Security Policy – typically one page document declaring commitment to information security
• develop a Statement of Applicability, documenting the assessment of identified information security risks and establishing controls (risk treatment) based on reference controls documented at Annex A of ISO 27001
• develop an ISMS or Management Manual – documenting as much or as little as you want but, typically, briefly addressing the clauses of ISO 27001; often integrated with the Manual for other management systems
• develop procedures –– instructions required to address information security
• control any outsourcing of information management
• develop and monitor information security objectives and targets
• embrace information security risks and opportunities throughout the business
• ensure staff are competent and understand their information security responsibilities
• monitor information security performance
• control information security nonconformances and take corrective action for significant or repetitive nonconformances
• conduct internal audits of the information security management system
• ensure senior management strategically review the information security management system.

Documentation Requirements:
• Information Security Policy Statement of Applicability
• ISMS or Management Manual Procedures
• Improvement Plan (monitoring information security objectives and targets)
• Registers – nonconformances and corrective action.


Implementing an Information Security Management System:

27001 Table

Benefits of an Information Security Management System:
• demonstrated due diligence by meeting regulatory and customer requirements
• meeting international best practice for security
• meeting tender requirements and stand out from the competition
• improved reputation and enhanced company profile
• demonstrated integrity of data to customers, suppliers and other stakeholders
• reduced risk of fraud, information loss and disclosure
• increased resilience to cyber attacks
• prompt detection of data leakage and rapid reaction to breaches
• reduced costs associated with information security
• all forms of information, ensuring confidentiality, integrity and availability of data secured
• ensured workplace confidentiality and improved company culture
• easily integrated with other management systems.

TQCSI Certification Process:
• contact your TQCSI Office and ask for a quote or apply on-line - TQCSI will need to know what your business does, how many employees (full time equivalent) and what types of information security risks are applicable
• to prevent delays, don’t wait until your Information Security Management System is fully implemented.

Certification Mark for Information Security Management System:

ISO 27001 Certification Logo

The certification mark can be used on all marketing material to promote your certification.

Need Help?
Contact This email address is being protected from spambots. You need JavaScript enabled to view it..

Call the certification experts on +61 8 8347 0603

ISO 9001, ISO 14001, AS 4801, FSSC 22000, ISO 22000, HACCP, ISO 27001, ISO 55001 and more