TQCSI Information Security Code:2018
What is the IS Code?
TQCSI’s Information Security (IS) Code for information security management systems is a standard to which companies can develop a system and gain certification to demonstrate their compliance with fundamental information security requirements. Based on the international standard, ISO 27001, it embraces many of the international requirements but is not as prescriptive and much less bureaucratic. It is an ideal ‘stepping stone’ for companies who wish to work towards ISO 27001 certification and may satisfy pre-qualification requirements for larger clients.
Information security is predominantly IT related but not completely. Other information security related processes also need to be considered such as phones, HR information, access to the premises and physical security.
Information Security System Requirements
An Information Security Management System (ISMS) requires organisations to:
- understand their information security related external & internal issues, and interested parties
- have an Information Security Policy describing senior management’s commitment
- assess potential information security related risks
- develop a Statement of Applicability based on controls listed at Annex A to the Code
- monitor controls listed in the Statement of Applicability to ensure their effectiveness
- develop and monitor information security objectives
- ensure staff are competent and understand the information security management system
- control any outsourced information security related processes (eg IT services)
- control information security nonconformances
- take corrective action for significant or repetitive nonconformances
- conduct internal audits of the information security management system.
Information Security Documentation Requirements:
- Information Security Policy – typically one page document declaring commitment to information security
- Statement of Applicability – register of risk assessment and controls
- Procedures – as many or as few as you need; ideally they are brief instructions for employees to follow (eg backup process)
- Registers – for information security objectives and nonconformances.
Implementing an Information Security Management System:
Benefits of an Information Security Management System:
- ensures companies cover their legal and regulatory requirements for information security
- company operations have never been more IT system dependent
- commercially sensitive information has never been more at risk
- reduced risk through assessment of threats to information security
- information and processes are increasingly entered in the cloud
- 3rd party certification may reduce any need for 2nd party audits
- gain stakeholder and customer trust that their data is protected
- expand potential tendering opportunities by demonstrating a high level of information security through 3rd party certification
- improved efficiency
- enhanced company profile
- ensure business continuity
- confidence that information security is controlled.
TQCSI Certification Process:
- contact your TQCSI Office and ask for a quote or apply on-line - TQCSI will need to know what your business does and how many employees (full time equivalent)
- to prevent delays, don’t wait until your Information Security Management System is fully implemented.
Certification Mark for Information Security Code:
The certification mark can be used on all promotional material to promote your certification.