Search in ISMS Guides


Saturday, August 18, 2007

The Benefits of ISO 27001 Implementation

The benefits of standardization, and of implementation of one or more of the ISO 27000 series are wide and varied. Although they tend to differ from organization to organization, many are common.

The following is a list of potential benefits. As with many items on this website, this is an ongoing project. Please feel free to add further points via the comments option below.

This is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.

Management can be assured of the quality of a system, business unit, or other entity, if a recognized framework or approach is followed.

Due Diligence
Compliance with, or certification against, and international standard is often used by management to demonstrate due diligence.

Bench Marking
Organizations often use a standard as a measure of their status within their peer community. It can be used as a bench mark for current position and progress.

Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.

Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often results.

ISO 27001: Frequently asked questions

Information Security, ISMS, and ISO/IEC 27001 (BS 7799)

Risk Assessment and Risk Management


Implementing an Information Security Management System

There are key steps that every company implementing an Information Security Management System will need to consider:

Step1: Purchase the Standard
Before you can begin preparing for your application, you will require a copy of the standard. You should read this and make yourself familiar with it.

Step 2: Consider Training
There are training courses available to help you implement and assess your Information Security Management System.

Step 3: Assemble a team and agree your strategy
You should begin the entire implementation process by preparing your organizational strategy with top management. At this stage you should determine the Scope of your Registration - whether the system will be adopted company wide or by one or more departments.

Step 4: Review Consultancy Options
You can receive advice from independent consultants on how best to implement your information security management system.

Step 5: Undertake a Risk Assessment
During this phase you should undertake a review of all potential security breaches. This should not relate solely to IT systems, but should encompass all sensitive information within your organization.

Step 6: Develop a Policy Document
This will demonstrate management support and commitment to the Information Security Management System process.

Step 7: Develop Supporting Literature
Put together a Statement of Applicability and Procedures to support your security policy. This will cover a range of areas including asset clarification and control, personal security, physical and environmental security and business continuity management.

Step 8: Choose a registrar
The registrar is the 3rd party, like BSI, who come and assess the effectiveness of your information security management system, and issue a certificate if it meets the requirements of the standard. Choosing a registrar can be a complex issue as there are so many operating in the market. Factors to consider include industry experience, geographic coverage, price and service level offered. The key is to find the registrar who can best meet your requirements. A great place to start is by contacting us.

Step 9: Implement your Information Security Management System
The key to implementation is communication and training. During the implementation phase everyone begins operating to the procedures of the management system.

Step 10: Gain registration You should arrange your initial assessment with your registrar. At this point the registrar will review your Information Security Management System and determine whether you should be recommended for registration.

Step 11: Continual assessment
Once you have received registration and been awarded your certificate, you can begin to advertise your success and promote your business. Your ISMS will be periodically checked by your registrar to ensure that it continues to meet the requirements of the standard.

From :