ISO STANDARD, IT BEST PRACTICES
ISO 27001 is the international norm standardizing the information security management systems.
We would like to propose to You the ISO 27001 implementation to the extent that You are interested in and which is adapted do Your organisation. It varies from simple verification to what degree Your organisation is acting in compliance with standard requirements, through development of Information Security Management System, up to actions aimed at obtaining ICO certificate. Our offer comprises:
- initial audit covering processes within the organisation, procedures, law provisions affecting operation of the company and strategy of actions;
- establishing the extent of implementation on the basis of initial audit results, expectations of the organisation and possible expectations of external entities (clients, suppliers);
- identification of information assets within the organisation;
- estimation of risk and drafting of risk action plan;
- development of official Information Security Management System (ISMS), containing set of required documents, procedures and policies;
- trainings for all employees involved in ensuring information security.
Standard implementation brings many benefits for the organisation. Certificate increases the company image, as one paying much attention to the information security. The standard enables better understanding of the risk for the organisation concerning information security, ensures more effective supervision over business technology and processes as well as increase efficiency through better understanding of business processes. What is more, the process of ISO 27001 implementation provides great help in ensuring business processes excellency by elimination of security gaps, as well as demonstrates the on-going improvement of the IT security within the organisation, in line with the law and various standards.
Implementation of ISO 27001 enables also, to the certain extent, to minimise the expenses: effort put into security improvement allows for limitation of redundant actions, which would be taken in case of security breach. In addition, company owning the certificate often pays lower insurance instalments. In the first place however, the risk of extraordinary costs, due to the information breach is significantly reduced (breaches such as pause in company operation, loss of information, loss of employees or necessity of paying ransom to the hackers).
Necessity of security management systems may result from many reasons. For instance:
- Company affected by the incident, e.g. leak of confidential data would seek the method of minimising the likelihood of similar event in the future;
- Organisation building its brand on public trust (e.g. bank, office, hospital) wants to demonstrate to current and prospective clients that it is trust worthy;
- A company that is service provider to the so called organised markets, would like to improve its position and distinguish from competitors by holding ISO certificate;
- Last but not least, which is very widespread situation – the management wants to have control over information security level which nowadays is the most valuable asset of any organisation.
Holding ISO 27001 certificate or at least statement of compliance with this standard is increasingly prerequisite to participate in tender and, which is worth noting, not only in case of public tenders but also those, organised by private companies.
While conducting personal data protection audits for over 14 years, Omni Modo has always relied on ISO 27001 recommendations. Many of Omni Modo employees holds ISO Internal Auditor Certificate or Lead Auditor Certificate. Our team is composed from lawyers and IT specialists with many years of experience and we have conducted several hundred audits in organisations of various size and profile – from local government entities, through small and medium enterprises up to international corporations from Fortune 500 list.
In 2014 OFBOR (Polish Association of Public Opinion and Marketing Research Firms) implemented for its members the Information Security Quality Assessment Programme (PKJBI). This sector-specific programme is based on PN-ISO/IEC 27001:2015.
Omni Modo has supported its clients, which were also OFBOR members, in the process of obtaining of PKJBI certificate. The first stage comprised initial comparison of company compliance with PKJBI requirements. The full assessment of company together with list of actions aimed at obtaining certificate formed the audit summary. During the second stage, Omni Modo together with indicated employees drafted and implemented full Information Security Management System (ISMS) compliant with ISO requirements. Designing and implementation of ISMS comprised, apart from drafting required procedures, policies and other documents, identification and classification of information assets combined with risk estimation and risk action plan.
In 2015 we assisted our clients in recertification process – we are proud that 1/3 of the companies holding certificate in 2016 were our clients!
In 6-12 months from implementation of ISMS we offer an audit in order to verify how the process of ISO 27001 implementation is carried out in Your organisation and to take improvement and corrective actions.