We're working on improving our services and would appreciate your input.
It only takes a couple of minutes to complete a short survey.
How an organisation deals with information has a big influence on its success. For example, the confidentiality of personal data, the availability of IT systems and the correctness of financial information are all crucial elements for any type of organisation: big or small, public or private. Moreover, recent news stories show that no company or organisation is immune to cyberattacks or data leaks, which can not only lead to reputation loss but can also have serious financial consequences.
An information security management system (ISMS) based on ISO/IEC 27001 can help you keep above risks under control.
Buy ISO/IEC 27001:2017 in the NBN web shop and get an overview of all the requirements.
The standard’s full name is ‘ISO/IEC 27001: Information technology — Security techniques — Information Security Management Systems — Requirements’ and shows you how to create, assess and continuously improve an effective ISMS with a set of requirements. The main goal: to protect the confidentiality, integrity and availability of all data within your organisation.
The structure of ISO/IEC 27001 was adapted to the High-Level Structure (HLS) in its latest version. Tens of other ISO management standards went through the same change in recent years. With these changes, ISO ensures that all adapted standards share the same basic structure. The biggest benefit: it is now easier for organisations to integrate various management standards in one management system. For example, it is perfectly possible to establish an ISMS in combination with ISO 9001 (quality management), ISO 14001 (environmental management) or ISO 45001 (occupational health and safety).
Hendrik Decroos, representative of Belgium and NBN in the international work group that reviews the HLS, analyses its virtues.
More concretely, HLS requires ISO/IEC 27001 to consist of these ten chapters:
Among others, the following topics are brought to light in ISO/IEC 27001:
Information security and an effective ISMS are important for all organisations and companies, because information is everywhere. Just think of client information, data from production systems, records from R&D centres and financial reporting.
ISO/IEC 27001, the international standard for information security, is among the top 4 ISO management standards when it comes to valid certificates. According to the latest ISO Survey (2018) no fewer than 59,934 sites worldwide hold ISO/IEC 27001 certificates, of which 208 are in Belgium.
The correct and full implementation of an ISO management standard is optional. For example, it is perfectly acceptable to implement part of the requirements. However, if you’re looking to get certified, you’ll have to comply with all requirements. In that case, an independent institution will evaluate your ISMS at your request. If everything goes as planned, you’ll receive a written document proving that you comply with all requirements of the standard. This certificate is valid for 3 years. Afterwards, you can renew your certificate (if you want) by repeating the whole process.
These are the 3 biggest advantages of an ISO/IEC 27001 certificate:
Wonder what he had to say?
Although ISO, IEC and NBN facilitate the development of standards, these organisations are not involved in the certification process. In other words, you can never be certified by ISO, IEC or NBN. That is the job of independent certification institutions after the positive assessment of your ISMS.
In Belgium, there are many institutions that certify organisations for ISO/IEC 27001 after an audit. However, not all of them are accredited by BELAC, the Belgian accreditation institution. This recognition isn’t necessary, but it does give you extra assurance that the audit process will be executed competently. Why? Accreditation guarantees technical competence, independency and impartiality.
Would you like to get your ISMS certified? Follow these steps:
Depending on the size and complexity of your organisation, the execution time of this checklist takes about 3 to 12 months. A lot depends on your preparation, your understanding of the requirements of the standard and the maturity of your organisation.
The price tag depends on various elements. For example, will you receive support from an external partner or do you everything yourself? Besides that, the size and complexity of your organisation can either raise or lower the costs. One thing’s for sure: you’ll need to contact a certification institution to perform the external audit. Normally, you sign a three-year contract with the institution – equal to the validity period of a certificate.
Important to note is that you define the scope of the certification and the related audits. For every service you provide, you can choose to include or exclude it. The ISMS of the services of your choice will then be assessed for compliance with the requirements of ISO/IEC 27001. This is done by an independent certification institution. Before the certification audit, you can carry out one or more internal audits to prepare.
Once three months have passed after the full implementation of the management standard, you can initiate the certification process and plan an external audit. That audit will take one or more days, depending on the size of your organisation. Are your facilities spread over various locations? The auditor will visit all relevant locations.
The audit consists of 2 phases:
During the audit, the certification institution decides if you implemented the requirements successfully and correctly. In case of a negative response, you will receive a report with non-conformities and things to work on. An additional audit will then provide you with a definite answer. In case of a positive response, you receive a certificate. Every year, an external auditor will assess the improvement of your ISMS. After three years, the validity period of the certificate, you can apply for renewal.
These 4 tips raise your chances of success:
Do you have an information security management system (ISMS) and wish to prepare for an internal or external audit? In the revised standard ISO/IEC 27007:2020 (Information security, cybersecurity and privacy protection – Guidelines for information security management systems auditing) you’ll discover clear guidelines.
Although ISO/IEC 27001 is the only certifiable standard within the ISO/IEC 27000 series, it might be interesting to combine the management standard with other standards from the same family. They indicate how to implement ISO/IEC 27001 and strengthen your ISMS by focusing on additional features. These are some of the standards that are worth considering:
Purchase the standard in the NBN e-shop an get an overview of all the requirements needed for an effective information security management system.
Sign up for our monthly newsletter.