ISO27001 (the standard formerly known as BS7799)

ISO27001 is a standard concerned with the management of information and data security systems. 

ISO27001 requires that you

• define your policies for information security
• define your objectives (which should be measurable targets relevant o information security)
• define your procedures for 
  • controls of documents & records, 
  • management reviews of the system, 
  • internal audits, 
  • incident handling, 
  • preventive actions, 
  • corrective actions  
  • etc 
• identify the types of data that your organization processes or owns (including IT related data, printed data, information which is "in people's heads" and so on
• identify risks & threat levels to the data and balance them against the impact on the business and its customers (and others affected by the threat) that any damage, loss or disclosure would cause
• prioritise the need to control those risks
• identify the ways to control those risks (by selecting the controls from a list within the standard)
• apply the controls
• monitor the effectiveness of the system
• continually improve the system

If you would like us to help you to set up and maintain an ISO27001 system, please contact us.

The most difficult part of meeting the standard seems to be identifying all types of data and prioritising the need for controls. Then, actually applying those controls takes a lot of work, usually. Of course, you may already be applying suitable controls, in which case the workload may be less.

If you would like us to help you to set up and maintain an ISO27001 system, please contact us.