ISO27001:2005

• Why Use Us?
• Why ISO27001?
• What's in the Standard?
• Who's Using the Standard?
• The Acenseo Method
• Scoping
• Gap Analysis
• Security Improvement Programme
• Developing Information Asset Registers
• The Risk Assessment Report
• Policies and Procedures
• Statement of Applicability (SoA)
• Awareness Programmes
• Internal Compliance Audits

Why Use Us?

Acenseo are a premier supplier of ISO27001 consulting services. Our experienced specialists use our proven methodology to achieve success for our clients.

Acenseo offer a solution that includes risk assessment, policy and procedure writing, technical expertise, business continuity consultancy, project management and skills transfer to ensure project success.

Why ISO27001?

Information is one of your most important organisational assets, yet consistently because of poor management, this is constantly under threat. By providing a formal, structured framework, ISO27001 allows you to have increased assurances of your security practice, and provides an effective means of communicating this internally and to the outside world.

From a technical and procedural perspective it should not only help reduce the threat to the business plan from identified threats such as hacking and viruses, but should also help reduce the vulnerability of your system to these threats and the impact should these threats materialise.

Technical Improvements Include:

1. Justified Technical Controls
2. Identified points of weakness
3. Managed Operational Risk
4. Improved awareness amongst staff

ISO27001 can also add distinct commercial advantages in the demonstration that companies have deployed an 'appropriate security practice'. This not only offers significant sales advantages, but also potential advantages when considering legislation such as Data Protection and the Turnbull report (Governance on companies listed on the stock exchange).

Business Advantages Include:

1. Competitive advantage
2. Increase customer and partner confidence
3. Improved Business efficiency
4. Regulatory Compliance
5. Contingency Plans

What's in the Standard?

The standard effectively comes in two parts:

1. ISO27001:2005
   This is a standard specification for an Information Security Management Systems (ISMS). An ISMS is the means by which Senior Management monitor and control their security, minimising the residual business risk and ensuring that security continues to fulfil corporate, customer and legal requirements.
2. ISO27002:2005
   This is the Standard Code of Practice and can be regarded as a comprehensive catalogue of good security things to do. The information provided for each control is intended for guidance only

Who's Using the Standard?

Take a look at some of the thousands of organisations worldwide who are already compliant with the standard.

• Bechtel Group Ltd
• BT
• Business Systems Group
• Cable & Wireless IDC Inc
• DTI
• EDS
• Hays Commercial Services
• HM Government Communications Centre
• KPMG
• Mitsubishi
• NHS Purchasing and Supply Agency
• Nokia
• NTT
• Orange
• Royal Mail
• SchlumbergerSema
• Serious Fraud Office
• Siemens
• Sony
• The Royal Bank of Scotland
• The Stationery Office
• Talk Talk
• T-Mobile (UK) Ltd
• T-Systems
• Vodafone
• Yorkshire Water IT

You can see the full list here.

The UK Government requires all central government departments to be compliant with the standard, so with this in mind ISO27001 is being used by government as one of mandatory requirements during tendering. Are you tending for public sector business without ISO27001? If so you should mark yourself out as organisation that takes itself and its trading partners seriously by gaining compliance with the standard.

The Acenseo Method

Acenseo has significant experience in implementing strategies to become and demonstrate compliance with the ISO27001 Standard. We adopt a staged approach allowing clients to utilise our expertise in any of the key stages of a compliance programme, all of which are designed to introduce an Information Security Management System that follows the Plan, Do, Check, Act model introduced in ISO27002:2005. This is a de-facto methodology and ensures that the correct components are engaged, evaluated, monitored and improved on a continuous basis.

Scoping

To maximize the benefit and minimise the cost of your compliance programme it is critical that it is scoped correctly. This critical stage is often poorly approached and can lead to problems that can jeopardise the overall project success.

We will ask some fundamental questions to ensure that your programme of work is defined in such a way as to maximize business benefit.

• Consider the cost/benefit of total compliance?
• What are your critical business processes?
• How big should the ISMS be?
• What are the business objectives for the compliance programme?
• What are the short, medium, long term objectives of the organisation?
• How can the scope be devised to be expandable at a later stage?

Gap Analysis

The aim of the Gap Analysis is to highlight areas where there are significant gaps in the current processes or security measures implemented that are considered to be inconsistent with the requirements of the standard.

Acenseo have devised a simple system for asking the right question about the control which will identify weaknesses and begin the process of developing an improvement plan.

Our consultants have significant experience in this area and can expertly review your current practices against the requirements of the standard.

Security Improvement Programme

A direct output from the Gap Analysis will be an Action Plan to address each area of weakness identified, and provide practical advice on how to address deficiencies. For each recommendation made Acenseo will cost, prioritise and help to resource each action.

Developing Information Asset Registers

A mandatory element to any compliance programme is the creation of an Information Asset Register. This will then be a critical element used during the Risk Assessment.

Our consultants have considerable expertise in developing this mandatory document using a variety of approaches.

The Risk Assessment Report

To comply with ISO27001, organisations must conduct a risk assessment and define and implement a risk treatment plan. In line with the Standard, which does not mandate a style of risk assessment that must be used, Acenseo have experienced consultants who can develop the required documentation using a number of different tools and techniques.

See our section on Risk Management for more details.

Policies and Procedures

A requirement of any compliance programme will be the creation of documentation that will allow an organisation to demonstrate the way in which its security management system operates. These will be a mixture of Policies (why); Procedures and Guidelines (who and when); and Standards (how). What is critical is that:

1. Policies reflect requirements and are not created 'because they need to be'
2. Effective procedures should be useful, benefit the business, and where possible utilise existing mechanisms
3. All policies, procedures and standards should demonstrably reduce incidents
4. 'Shelf-ware' is not created; it does not benefit anybody, and does not impress ISO27001 auditors.

Our consultants have considerable expertise in developing all of these documents to assist you through the compliance process. We also have at our disposal a number of innovative ways in which the information can be stored and disseminated to reduce overheads and increase effectiveness.

Statement of Applicability (SoA)

This is a mandatory document, describing how an organisation has interpreted and applied the Standard, referencing supporting evidence.

Acenseo has the expertise to help your organisation develop an SoA that will meet auditing requirements whilst providing you with a document that delivers real value.

Awareness Programmes

A critical, and mandatory element of any ISO27001 programme is the deployment of awareness strategies that demonstrably increase the level of awareness of information security within the organisation.

Acenseo have a pragmatic approach to the development of such programmes, utilising a variety of delivery mediums aimed at a variety of audiences from the general user to the sophisticated IT professional.

Internal Compliance Audits

Acenseo helps organisations maintain and improve their Information Security Management Systems (ISMS) by offering the following services:

1. Creating audit frameworks
2. Creating audit schedules appropriate for the compliance with the standard
3. Conducting internal audits

Further information on our services is available from our marketing team on 0118 979 0000 or email us atinfo@acenseo.com.

Visit our website http://www.acenseo.com