What is ISO27001 – A Guide for CFO’s
Join today and start learning
TFD is the learning platform built for finance professionals.
This content is available as part of our bitesized video series.
Watch this video today by joining our free community.
Join today and start learning
TFD is the learning platform built for finance professionals.
This content is available as part of our bitesized video series.
Watch this video today by joining our free community.
What is ISO27001 – A Guide for CFO’s
Video information:
In this video, Sean Huggett speaks about ISO27001 and what you as a Chief Financial Officer will want to know when being asked to support a business case for getting certified.
Hello, I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m gonna talk about ISO27001, and what you as a Chief Financial Officer will want to know when being asked to support a business case for getting certified.
ISO27001 is the international standard for an information security management system, or an ISMS. Organisations can certify against the ISO27001 standard to help embed and demonstrate a mature approach to information security risk identification, mitigation and continued security review and improvement. The ISO27001 standard is focused on far more than information technology. Whilst IT is clearly going to be a key consideration, an ISO27001 project is gonna touch all areas of your business, including human resources, facilities, procurement, compliance, and business continuity. Even then, you’re likely going to need input from other people from across your organisation based on the information they hold and the systems they use.
So you can understand, identify and mitigate the security risks that are associated with those information and systems. As such, it’s really important to consider ISO27001 readiness as a project that affects your whole business and not something that’s specific to one function, such as your IT department.
Now, Cyber Essentials is an IT security standard, but ISO27001 is not. It’s very much about implementing a management system that applies to all functions within your business. Now implementing and maintaining ISO certificate will require a work ethic that focuses on embracing best practice, promoting consistency, identifying and effectively managing risk and seeking continual improvement. In fact, this last point is a really important one. Continual improvement is a recurring theme throughout every ISO standard, not just ISO27001 And you’ll see it referred to in relation to many requirements such as management reviews, internal audits, the management of nonconformities, training, awareness, and other areas.
And I’ll say this in a little while, but it’s really important not to think of ISO27001 as a static requirement, it’s not something that you implement and then move on from. It’s actually something that needs to be fed and watered, consider it a living management system and identify continual opportunities for improvement, because you’ll need to evidence those to your auditor.
So given the time and effort that you’ll need to go into in preparing for and staying certified, you might be wondering at this stage, well, why go to the effort? Well, there are several good reasons. Clearly, being ISO27001 certified will force your organisation to take a more mature process driven approach to managing information security. This in theory should improve your ability to withstand, and respond to cyberattacks and information security breaches. And clearly, this is a key area of concern facing most organisations today.
Certification can also help with regulatory compliance. Whilst it’s not a GDPR requirement, having a certified ISMS can help ensure in evidence, that you take a risk-led approach to securing the personal data that you collect in process, which is very much a requirement under UK GDPR. Likewise, if you hold an operator’s license for remote gambling from the UK gambling commission, were subject to the networking information systems regulations, or NIS, then being certified will help you meet specific security obligations that your organisation is subject to.
In truth though, nearly all of the clients that ask us to help them certify do so because a customer that they sell to or a market they operate in, has told them they need to get certification. Now this might be an explicit qualification requirement in a tender to retain business or bid for new business, or it might simply be an unspoken expectation that’s developed over time, whereby your market credibility could be affected if you’re not certified, maybe because your competition are all certified. Now whatever the reasoning, once you’ve made the decision to certify, you’ll be interested in the practicalities of doing so.
The key question that we’re usually asked right at the outset is how long will it take us to get certified? Well, the truth is it depends, and it depends on the nature of your organisation and the scope of certification. But whatever that is, ISO27001 is not a one-off tick box exercise, and for this reason, it could take you anything from six to nine to twelve months and maybe even longer to be ready for audit, and it will take even longer after certification until your ISMS and the processes that you’ve implemented start becoming second nature to the way your organisation operates.
Once in place, the ISMS will be audited not once, but twice by an independent certification body. And we would always recommend a certification body that’s been a credit by UCAS, the United Kingdom Accreditation Service. The first audit or stage one audit will verify that all of the mandatory documentation required by the ISO27001 standard has been or is in the process of being implemented. The second audit, the stage two audit, typically takes place two to six weeks later depending on how much work needs to be done, to be ready following your stage one audit. And stage two is very much a deep dive into your information security processes, wherein the auditor will look to you to provide evidence that you do what it says you need to do in your security policies, your procedures, your plans, and other documentation.
Even following certification, your work’s not complete. As I said earlier on, don’t think of ISO27001 as a set and forget type exercise. There’s actually a lot of maintenance to stay on top of after you certify.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
Video information:
In this video, Sean Huggett speaks about ISO27001 and what you as a Chief Financial Officer will want to know when being asked to support a business case for getting certified.
Hello, I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m gonna talk about ISO27001, and what you as a Chief Financial Officer will want to know when being asked to support a business case for getting certified.
ISO27001 is the international standard for an information security management system, or an ISMS. Organisations can certify against the ISO27001 standard to help embed and demonstrate a mature approach to information security risk identification, mitigation and continued security review and improvement. The ISO27001 standard is focused on far more than information technology. Whilst IT is clearly going to be a key consideration, an ISO27001 project is gonna touch all areas of your business, including human resources, facilities, procurement, compliance, and business continuity. Even then, you’re likely going to need input from other people from across your organisation based on the information they hold and the systems they use.
So you can understand, identify and mitigate the security risks that are associated with those information and systems. As such, it’s really important to consider ISO27001 readiness as a project that affects your whole business and not something that’s specific to one function, such as your IT department.
Now, Cyber Essentials is an IT security standard, but ISO27001 is not. It’s very much about implementing a management system that applies to all functions within your business. Now implementing and maintaining ISO certificate will require a work ethic that focuses on embracing best practice, promoting consistency, identifying and effectively managing risk and seeking continual improvement. In fact, this last point is a really important one. Continual improvement is a recurring theme throughout every ISO standard, not just ISO27001 And you’ll see it referred to in relation to many requirements such as management reviews, internal audits, the management of nonconformities, training, awareness, and other areas.
And I’ll say this in a little while, but it’s really important not to think of ISO27001 as a static requirement, it’s not something that you implement and then move on from. It’s actually something that needs to be fed and watered, consider it a living management system and identify continual opportunities for improvement, because you’ll need to evidence those to your auditor.
So given the time and effort that you’ll need to go into in preparing for and staying certified, you might be wondering at this stage, well, why go to the effort? Well, there are several good reasons. Clearly, being ISO27001 certified will force your organisation to take a more mature process driven approach to managing information security. This in theory should improve your ability to withstand, and respond to cyberattacks and information security breaches. And clearly, this is a key area of concern facing most organisations today.
Certification can also help with regulatory compliance. Whilst it’s not a GDPR requirement, having a certified ISMS can help ensure in evidence, that you take a risk-led approach to securing the personal data that you collect in process, which is very much a requirement under UK GDPR. Likewise, if you hold an operator’s license for remote gambling from the UK gambling commission, were subject to the networking information systems regulations, or NIS, then being certified will help you meet specific security obligations that your organisation is subject to.
In truth though, nearly all of the clients that ask us to help them certify do so because a customer that they sell to or a market they operate in, has told them they need to get certification. Now this might be an explicit qualification requirement in a tender to retain business or bid for new business, or it might simply be an unspoken expectation that’s developed over time, whereby your market credibility could be affected if you’re not certified, maybe because your competition are all certified. Now whatever the reasoning, once you’ve made the decision to certify, you’ll be interested in the practicalities of doing so.
The key question that we’re usually asked right at the outset is how long will it take us to get certified? Well, the truth is it depends, and it depends on the nature of your organisation and the scope of certification. But whatever that is, ISO27001 is not a one-off tick box exercise, and for this reason, it could take you anything from six to nine to twelve months and maybe even longer to be ready for audit, and it will take even longer after certification until your ISMS and the processes that you’ve implemented start becoming second nature to the way your organisation operates.
Once in place, the ISMS will be audited not once, but twice by an independent certification body. And we would always recommend a certification body that’s been a credit by UCAS, the United Kingdom Accreditation Service. The first audit or stage one audit will verify that all of the mandatory documentation required by the ISO27001 standard has been or is in the process of being implemented. The second audit, the stage two audit, typically takes place two to six weeks later depending on how much work needs to be done, to be ready following your stage one audit. And stage two is very much a deep dive into your information security processes, wherein the auditor will look to you to provide evidence that you do what it says you need to do in your security policies, your procedures, your plans, and other documentation.
Even following certification, your work’s not complete. As I said earlier on, don’t think of ISO27001 as a set and forget type exercise. There’s actually a lot of maintenance to stay on top of after you certify.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
Video information:
In this video, Sean Huggett speaks about ISO27001 and what you as a Chief Financial Officer will want to know when being asked to support a business case for getting certified.
Hello, I’m Sean Huggett. I’m one of the directors at Evalian. We’re an information security, data protection, and business continuity services provider. And in this video, I’m gonna talk about ISO27001, and what you as a Chief Financial Officer will want to know when being asked to support a business case for getting certified.
ISO27001 is the international standard for an information security management system, or an ISMS. Organisations can certify against the ISO27001 standard to help embed and demonstrate a mature approach to information security risk identification, mitigation and continued security review and improvement. The ISO27001 standard is focused on far more than information technology. Whilst IT is clearly going to be a key consideration, an ISO27001 project is gonna touch all areas of your business, including human resources, facilities, procurement, compliance, and business continuity. Even then, you’re likely going to need input from other people from across your organisation based on the information they hold and the systems they use.
So you can understand, identify and mitigate the security risks that are associated with those information and systems. As such, it’s really important to consider ISO27001 readiness as a project that affects your whole business and not something that’s specific to one function, such as your IT department.
Now, Cyber Essentials is an IT security standard, but ISO27001 is not. It’s very much about implementing a management system that applies to all functions within your business. Now implementing and maintaining ISO certificate will require a work ethic that focuses on embracing best practice, promoting consistency, identifying and effectively managing risk and seeking continual improvement. In fact, this last point is a really important one. Continual improvement is a recurring theme throughout every ISO standard, not just ISO27001 And you’ll see it referred to in relation to many requirements such as management reviews, internal audits, the management of nonconformities, training, awareness, and other areas.
And I’ll say this in a little while, but it’s really important not to think of ISO27001 as a static requirement, it’s not something that you implement and then move on from. It’s actually something that needs to be fed and watered, consider it a living management system and identify continual opportunities for improvement, because you’ll need to evidence those to your auditor.
So given the time and effort that you’ll need to go into in preparing for and staying certified, you might be wondering at this stage, well, why go to the effort? Well, there are several good reasons. Clearly, being ISO27001 certified will force your organisation to take a more mature process driven approach to managing information security. This in theory should improve your ability to withstand, and respond to cyberattacks and information security breaches. And clearly, this is a key area of concern facing most organisations today.
Certification can also help with regulatory compliance. Whilst it’s not a GDPR requirement, having a certified ISMS can help ensure in evidence, that you take a risk-led approach to securing the personal data that you collect in process, which is very much a requirement under UK GDPR. Likewise, if you hold an operator’s license for remote gambling from the UK gambling commission, were subject to the networking information systems regulations, or NIS, then being certified will help you meet specific security obligations that your organisation is subject to.
In truth though, nearly all of the clients that ask us to help them certify do so because a customer that they sell to or a market they operate in, has told them they need to get certification. Now this might be an explicit qualification requirement in a tender to retain business or bid for new business, or it might simply be an unspoken expectation that’s developed over time, whereby your market credibility could be affected if you’re not certified, maybe because your competition are all certified. Now whatever the reasoning, once you’ve made the decision to certify, you’ll be interested in the practicalities of doing so.
The key question that we’re usually asked right at the outset is how long will it take us to get certified? Well, the truth is it depends, and it depends on the nature of your organisation and the scope of certification. But whatever that is, ISO27001 is not a one-off tick box exercise, and for this reason, it could take you anything from six to nine to twelve months and maybe even longer to be ready for audit, and it will take even longer after certification until your ISMS and the processes that you’ve implemented start becoming second nature to the way your organisation operates.
Once in place, the ISMS will be audited not once, but twice by an independent certification body. And we would always recommend a certification body that’s been a credit by UCAS, the United Kingdom Accreditation Service. The first audit or stage one audit will verify that all of the mandatory documentation required by the ISO27001 standard has been or is in the process of being implemented. The second audit, the stage two audit, typically takes place two to six weeks later depending on how much work needs to be done, to be ready following your stage one audit. And stage two is very much a deep dive into your information security processes, wherein the auditor will look to you to provide evidence that you do what it says you need to do in your security policies, your procedures, your plans, and other documentation.
Even following certification, your work’s not complete. As I said earlier on, don’t think of ISO27001 as a set and forget type exercise. There’s actually a lot of maintenance to stay on top of after you certify.
Founder and Managing Director for Evalian
Sean specialises in data protection, information risk and information security consulting. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in governance, risk and compliance with a focus on privacy and security. Sean is also Managing Director at Evalian®.
His qualifications include IAPP CIPP-E, CIPT, GDPR Practitioner Certificate, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor and CISMP.
