ISO 27001 Best Practises in IT
ISO 27001 is the international family of standards that unifies an information security management system (ISMS).
The implementation of the standard brings the company many benefits. A certified organization is perceived as treating information security seriously. ISO 27001 helps organizations better understand the risk regarding information security, provides better control over the technology and business processes, gives more possibilities of increasing efficiency through a better understanding of business processes. Furthermore, implementing actions are a great help in improving business processes by removing and mitigating security vulnerabilities. They also provide evidence of continuous improvement of the company IT security in accordance with all relevant regulations and standards.
The implementation of ISO 27001 allows to reduce expenses to some extent, because all the effort to improve safety can prevent unnecessary actions in the event of a security breach. Rates of insurance are lower when a company is certified. What is more, the risk of having unplanned costs due to security incidents significantly decreases (downtimes, information loss, losing a worker, the need to pay the ransom to groups of hackers).
The need of implementation an information managent system may arise from many sources. For example:
- An organization that experienced the incident of confidential data leakage, is seeking methods to minimize the likelihood of similar events in the future.
- Public trust institutions (eg. bank, office, hospital) would like to prove current and potential customers that they are trustworthy.
- The company that provide services for so-called regulated markets, aim to be certified and prove its credibility and to stand out from the competitors.
- And finally, a standard case – the management wants to have control over the information security, which is the most valuable asset of any organization at the present time.
Certification or at least a declaration of compliance with the requirements of ISO 27001 is mandatory not only in the joint tender procedures, but in also tenders organized by private companies. Unfortunately, ISO 27001 still remains not very popular in Poland despite all the benefits when implementing it. The number of certified companies increases from year to year, at present less than 300 companies and companies can boast the certificates of conformity (http://www.iso27000.pl/sites/view/form=3=1). It is a small number in comparison to several thousand certificates of ISO 9001.
Omni Modo has been conducting audits in the field of personal data protection for 12 years and work of our experts has always based upon the internationally accepted standards of ISO 27001. Many Omni Modo’s employees can boast certificates of an internal or a lead auditor. We are a team of personal data protection experts and IT systems security specialists who have many years of experience and have conducted several hundred audits in organizations of different sizes and profiles – local government units, small and medium size companies to multinational corporations of the Fortune 500 list.
In 2014 Polish Association of Public Opinion and Marketing Research Firms introduced its members an Information Security Quality Control Program. This certification program is based on the ISO/IEC 27001:2015 standard. Detailed information on the certification program can be found on the organization’s website: http://www.ofbor.pl/index.php?option=com_content&view=article&id=47&Itemid=55
Omni Modo for its clients which are members of the Association, offered support in the process of preparing to receive certification of Information Security Quality Control Program. The first stage is a preliminary comparison of the organization’s adherence to the requirements of the abovementioned programme. As a summary of the audit Omni Modo presents a full assessment of the current situation of the organization, together with a list of actions in order to receive the certificate. In a second stage, Omni Modo, along with designated employees of companies, prepares and implements a full Information Security Management System that is compliant with the ISO standards. Omni Modo prepares required procedures, policies and other documents as part of establishing and implementing the system. Omni Modo also conducts the process of identification and classification of information assets along with risk evaluation and preparation of a risk management plan.
We helped our clients in re-certification process in 2015 – we are proud of the fact that this year 1/3 of the listed companies (certificate holders) are our clients!
Based on our experience, we would like to offer you the service of implementation of ISO 27001 standard in the desired extent and congruent to the needs of your organization from a simple verification of the extent to which your organization operates in accordance with the requirements of the standard as well as creating Information Security Management System, and activities leading to obtain certification. Our services include:
- The pre-audit covering the processes in an organization, existing procedures, legislation affecting the activities of the organization, strategy.
- Defining the scope of implementation on the basis of the pre-audit, the expectations of the organization and possible expectations of external entities (customers, suppliers).
- Carrying out the process of identification of information assets in the organization.
- Carrying out the process of risk assessment and preparing a risk management plan.
- Preparing a formal Information Security Management System comprising a set of necessary documents, procedures and policies.
- Conducting training for all staff involved in providing safety information.
After 6-12 months after completion of ISMS implementation we offer audit to examine how are the recommendations of ISO 27001 in the organization implemented as well as to introduce corrective and improvement action.