WHY ISDEMANDFOR

A WHITE PAPER WRITTEN BYTHE BRITISH ASSESSMENT BUREAU

ISO 27001BOOMING?

MARK0003 | V1 | 01.08.2016 | WHY IS DEMAND FOR ISO 27001 BOOMING?

CONTENTS

1. INTRODUCTION

2. HOW WE GOT HERE

3. 3 CAUSES OF DATA BREACHES

3.1 Malicious,intentionalor criminal

3.2 Systemglitches

3.3 Humanerror

4. WHAT ARE THE CONSEQUENCES?

4.1 Otherconsequences

5. COMPLACENCY CAN BE FATAL 6. IT'S NOT JUST THE IT DEPARTMENT...

7. HR AND INFORMATION SECURITY

7.1 OperationQuest

7.2 OperationJerome

8. STEP 1, STEP 2, PROOF...

8.1 BenefitsofISO27001

9. WHAT YOU NEED TO CONSIDER

9.1 CyberEssentials

9.2 CSA STAR

9.3 CyberInsurance

10. CERTIFICATION PROCESS

10.1 Pre-Assessment

10.2 Stage1Audit

10.3 Stage2Audit

10.4 AnnualAudit

11. USING A CONSULTANT

12. CHOOSING A CERTIFICATION BODY

12.1 Certificationor Accreditation?

13. THE COST OF ISO 27001

13.1 Ongoingcosts

14. CONCLUSION

This White Paper will teach you:

• WHAT ISO 27001 is, how it works and the benefits certification brings organisations• WHY ISO 27001 is so popular• HOW organisations can become ISO 27001 certified• WHO the most suitable Certification Body is to work with• WHAT costs you can expect when becoming ISO 27001 certified

INTRODUCTION1.HOW WE GOT HERE2.

ISO27001 - InformationSecurityManagementStandard(ISMS)-isallaboutsafeguardingyoursandyourcustomers’ information.While it’soneofthelesserknownstandards,comparedtoISO9001andISO14001,it’sincreasinginpopularityanddemand.

Untilnow,it’sbeenthe4thmostpopularstandardafter ISO 9001 for Quality Management, ISO14001 for Environmental Management andOHSAS18001forHealthandSafety.

However, that situation is changing. Allbusinesses, charities, organisations and publicsectorbodiesneedtoknowwhatISO27001’sallabout,whattheimplicationsareandwhatcanbedonetoachievecertificationtothestandard.

The Federation of Small Businesses (FSB) arecertainly taking this seriously. 42% of theirmembers have been directly affected and TheFSB are calling for all businesses to take stepsand assess the risks of online crime and fraud.TheFSBhas published itsCyberCrime strategyonline.

This White Paper will take you through thesubject;therisks,thenumbersandreasonswhyinformationsecurityissoimportant.We’llcovertheproblemsandchallengesyoumayfacewhenimplementing ISO 27001, the consequences ofignoring themandwhatyou cando topreventtheproblemsarisinginthefirstplace.

For years, organisations have been primarilyfocusedonmaking sure that physical security’sin place - that’s exactly what the insuranceindustryhasdemanded!Ifyoufailedtoinstalltherightpadlockorlevelsofsecurity,youcouldfindyourself un-insured;which hasmade us all themoreawareofphysicalsecurity.Theproblemisthatwe’veforgottenaboutinformationsecurity.

We all have processes in place for locking upat the end of the trading day, including keyholders’ responsibilities, tracking sets of keysand permitted access to premises. Nowadays,virtuallyallsportingvenueshavekeycodeddoorstoaccesschangingroomstoreducetheft,andofcourse the sameprecautionsare found inbabyunitsathospitals,nurseryschools,etc.

We’re very good at protecting physical things;chairs,tables,plantandstock,butwhenitcomestoinformationwe’renotquiteasdiligent.

Businesses have been encouraged to identifyrisksof all shapes and sizes foryearsnow, andonce identified they must be managed, andriskmitigationmustbeconsidered. In thegoodold days, itwas the physical risks thatwere soimportant,withaprimaryobjectivebeingtostayonestepaheadofthethief!

Firstwehadcleardeskspolicies–puttingawaypapers holding customer information. Filingcabinets were locked and confidential paperwastewasshredded.

Assoonascomputershitourdesks,wehad tostart thinking about firewalls, anti-virus andmalware, passwords, logins and access levels.Astheinternetandcomputernetworksarrived,risksnotonlymultiplied,buttheybecameevenmorecomplex.

Having a password isn’t enough now thesedays. It must be ‘strong’ (letters, numbers andsymbolsincluded),regularlychangedandusuallycombinedwith a PIN too, not tomention autolock-outsnowhappeninminutes,ratherthannotatall.Clearscreenpolicieshavenowbeenaddedtothecleardeskpolicytoo.

Privileged access levels are commonplace andthatgoesforkeystrokemonitoringtoo.Personalemail protocols, spam filters, email list securityandfileattachmentrulesnowpervadebusinessesandemployeehandbooks.Dropbox(andsimilar),once the storage device of choice alongsideremoteplugindrivers,hasnowbeenjoinedbyaplethoraofcloudstoragesystems.Plugindevicesalsoraisesecurityissuesnowtoo.

Backups for systems, data lists and intellectualproperty were usually done with a remotedevice that someone took home. Now, withrapid technology developments, backups arefarmore sophisticatedandcomplicated.This inturn increasesrisksandmakesthemevenmorecomplex.

Keeping your website safe and compliant isa business priority, especially if it’s your maintrading platform. Developing software is achallengeandupgradingexistingsoftwarecanbeaproblemtoo.Preventingyouremployeesfromuploading unchecked software is testing, butit’sbestpracticetoputthisinplace.EncryptionandSSLpadlocksarenowthenormonwebsitesande-commerceplatforms,butallofthisneedsmanaging and protecting. Utilising open-sourcecodingisstandardformanyorganisationstoday,butdoyoureallyunderstandwhatyou’regettinginto?

Traditional pen and paper businesses arenow conducted almost entirely on connectedcomputersandstoredinremotecloudsthathaveportal logins forcustomers toaccess theirfiles.Collaborativeworking,co-workingspaces,homeofficesandcoffeeshopworkingcontinuestoraiseinformationsecurityconcernsandchallenges.

Anotherbigquestion: iswireless secureornot,and does anyone really care anymore? Surelyallwewant now is to be connected!Gone arethe days ofVPN, ISDNs installations; and nowBYOD (Bring Your Own Device) is requestedfor seminars, workshops and training courses.We just plug in, log on and go - assuming thateverythingwillbeokay.

It’scertainlybeenafastridefromthe1980stotoday’sonline,connectedandcasualworld.Butastheworldhaschanged,sohavetherisksyouneedtobeawareof,manageandmitigate.

What all organisations need is an informationsecurity minded approach, with processes thatallowtherightpeopletoaccesstherightdataattherighttime.Collecting,storing,accessingandusingdata securelyandeffectivelymustbe thegoalforeveryorganisation.Itcertainlyisamajorpriorityforbigbrands,andshouldalsobeforyou.

3 CAUSES OF DATA BREACHES3.

There are hundreds of security breaches thathappeneverydaybutintheend,theyfallinto3maingroups;

1. Malicious,intentionalorcriminal

2. Systemglitches

3. Humanerror

IBM 2015 Cost of Security Breach SurveyconductedbyPonemonResearch,allocates49%tomaliciousactivity,23%tosystemglitchesandtheremaining28%tohumanerror.

3.1MALICIOUS,INTENTIONALORCRIMINAL

Justliketheoldfashionedtheftofphysicalgoods,theseattacksareusuallywellplanned, targetedandforthemostpart,haveanegativeimpactonthebusinessbeingtargeted.

Many of us have had our email hacked or ourphone tampered with by mischievous friendssending inappropriate texts toourcontact lists.Itcanhappentoanyone,it’susuallyjustamatteroftime.

Phishing, scams, hacking, fraud, cybercrime,theftofintellectualproperty(companyT&Csarethemost commonly stolen text), data, systemsand diversion of funds. Viruses and system

infectionsarealsocommon.Asbusinessesworkhard preventing data theft by implementingmore sophisticated systems, the perpetratorsareworkingjustashardtoalwaysstayonestepahead.

E-commerce trading operations regularlyundergopenetrationtestingandSTARsimulatedtargetedattackresponsetesting.Thismakessurethattheirsitesaresafeandcancontinuetotradesecurely.

Just because you're a small business doesn’tmean you aren’t a target. It might not evenhappenonline - invoice fraud is an increasinglyrealthreat.

3.2Whyisitthatyournetworkandcomputerwerefine when you turned them off last night, butfirst thing thismorning theydon’twork?Theseproblemshappen;theyareillogicalandweneverusuallyknowthereasonwhy.

Most of the time the problem is solved andeveryonegetsbacktoworkwithasighofrelief.Investigationsshouldbecommonplace,butsadlytheyonlyhappeninafewcases.

Wheretheydohappen,it’sthisdiligentapproachto understandingwhat happened andwhy thatmakesanorganisations’systemsmuchstronger.

SYSTEMGLITCHES

CYBER CRIME

PHISHING

HACKING

THEFT

FRAUD

STAR

PHYSICALDATA

BASIC SECURITY

POLICIES&PROTOCOLS

ISO 27001

CYBERESSENTIALSSCHEME

CSA STAR

Whenaproductisbadlymade,howdoyouknowif the ingredients for your production recipe isa ‘system glitch’ or intentional tampering by adisgruntledemployee?Theonlywaytofindoutandstopithappeningagainistoinvestigate,find,resolveandmonitor.

Thewonderful thing about people is that theyarepredictably,unpredictable!Butasamanagerthis isadifficultone tomanagebecauseof theunpredictablenatureoftherisk,asyou’reunlikelytogetanywarningsigns.

The news is litteredwith stories of companieswhere employees have left laptops or paperfiles on trains, lost phones, shared passwordsthey shouldn’t have done, posted the wronginformationat thewrongtimeonwebsites; thelistgoesonandon.

In theUSA there's awebsitededicated todailysecurity breaches. It’s a great place to see thefullextentof informationsecurity risksand isabookmarkedsiteformanyITspecialists.

3.3 HUMAN ERROR

ISO 27001 is the best practice framework for an Information Security Management System

Let’slookatlegalbreachesfirst.DataProtectionAct1998 can result in prosecution, finesup to£500,000, loss of customer confidence andassociated income levels. For many businessesthis could lead to insolvency. InMay2018, theEUGeneralDataProtectionRegulation (GDPR)comes into force. From that date, breachedorganisations will find the fines they faceincreasingdramatically;withthenewupperlimittotalling€20million.

The website by IT Governance explains thisin more detail. The international standard forInformation Security Management, ISO 27001,summarises the information security elementsof the majority of global privacy regulations –includingPrinciple7oftheDataProtectionAct– by providing a comprehensive framework fordeveloping, implementing and maintaining anindependently auditable Information SecurityManagementSystem(ISMS).

ISO27001helpsorganisationsprotecttheirdataassets and meet their compliance objectives.An ISO 27001 compliant ISMS is a risk-basedapproach to Information Security Managementthat addresses the specific security threats anorganisation faces, covering people, processesandtechnology.

Accredited certification to ISO 27001 isrecognised across theworld as the hallmark ofbestpracticeInformationSecurityManagement,and demonstrates to customers, stakeholders

WHAT ARE THE CONSEQUENCES?4.

andstaffalikethatanorganisationtakesitsdatasecurityresponsibilitiesincrediblyseriously.

Disruption to normal business practices. Atthevery leastsomeonewillhavetodealwiththeproblemand it’llusuallybeateamof people;MD, IT,Operations, Finance andMarketing.

Increased and unexpected costs will beincurred, and the problem will need to berectified.Thisisn’tonlymoney,it’semployeetimetoothat’slost,becausetheyaren’tdoingwhat they normally do to generate incomeforthebusiness.

You’ll have to spend time and money on media relations, as well as communicatinga lot more to customers, employees andshareholders. Everyone will be nervousabout the implicationsof a securitybreach,especially regulatory bodies, bankers, tradebodiesandpossiblythepolice,whowillneedtoknowwhat’shappening.

Managingcustomercomplaints,dealingwithcustomers’questionsandqueries,reassuringsuppliers–italltakestime.

Damage to your brand could be significantandsometimesevenfatal.

4.1 OTHERCONSEQUENCES1.

2.

3.

4.

5.

6.

7.

8.

9.

Lossofconfidenceinyourorganisationleadstolostincomeandtheinevitablesqueezeonprofitsinadditiontocash-flowissues.

Lost customers always have a tendency tospread the badword so it becomes hardertoattractreplacementcustomers.Salesandmarketingcostsspiralagainstfallingincome.

Lost profit - either from increased costs orthepaymentoffines.

Exposuretolegalandregulatoryfines.

According to UK Government, 72% of small businesses experienced a security breach in 2015

COMPLACENCYCANBEFATAL5.

Alltoooftenwesay;‘itwon’thappentome’-butitcan,anddoes.Buryingyourhead inthesandisn’tgoodenoughanymore,there’sfartoomuchatstake.

Howwouldyoufeelifitwasyourpersonaldetailsleftonalaptoponatrain,oryourbankingdetailshacked froma supplier?Howwouldyou feel ifyou were a sweet manufacturer and someonetamperedwith your secret recipewhichmeantchildren became ill? Just another example of asecuritybreach.

What if oneof the invoicesyoupaidhadbeentampered with, meaning you paid a criminalinstead of your client and you’d have to pay itagain?What checks and balances do you haveinplacetomakesureyourmoneyisintherightaccount?

Youcertainlydon’twantittohappentoyou,buthow canyou answeryour customer’s question;“Can you prove that my data is secure?” Restassureditwon’tbelong-justafewmorepublicbreaches - until more and more people startdemandingproofofsecuredatainformationfromtheirsuppliers.

It's so important for everyone; shareholders, customers and employees, that you have this under control. ISO 27001 is a

good place to start

IT'SNOTJUSTTHEIT DEPARTMENT6.

Information security isn’t just about websites,clouds, emails and apps. It’s about everythinginyourbusinessororganisation; secret recipes,trademarks, patents, copyright, data, processesandcompanyassets.

ISMS applies to everyone, wherever they are and

whatever they do in your organisation

You’llneedtoconsidersystemsandproceduresthateveryonemustfollow.Thiswillhelpyoutoreducetheriskofsomeoneforgetting,ordoingsomethingwrong-whichleadstoabreach.

Don’t restrict your policies to only your directemployees. You need to think about otherswhohave access;your outsourcedbookkeeper,contractors, interims, freelancers and interns.Anyone who has access to anything in yourbusinessshouldbeincluded.

Often overlooked areas are your web andmarketing agencies, payroll providers andaccountants.Theagenciesusuallytakeafeedofyourcustomerdataintotheirsystemstoenablethemtosendemailmarketingcampaignsonyourbehalf. How do you know if they are keepingyourdatasecure,andwhatchecksdotheyhaveinplacetomakesuretheyusetherightlistwiththerightcommunication?

Your money advisers may be emailing yoursensitivecompanydataormightnotbeholdingitinasecurelocation–eitheronoroffline.

Doyouemailyouraccountstoyouraccountantand vice versa? What happens if it arrives atthewrong destination?Anyone that you shareinformationwith, ought to be able to prove toyouthatit'ssecure.

Shouldn't you insist that your suppliers have ISO 27001

certification as well?

Wealwayswanttobelievethebestineveryone.Buttherearemanybankruptcompaniesbecauseone partner didn’t play by the ruleswhilst theotherpartnerdidn’thaveanychecksandbalancesinplacetohighlightthatsomethingwasn’tright.

Nick Leeson, - ‘the infamous trader whoseunchecked risk-taking caused the collapseof Barings Bank’ - proved that uncontrolledemployees or partners can be extremelydangerous to a business and its customers.Unsuspectingcustomersareusuallythevictims,leading to emotive and high profile reporting,which in turn causes significant brand damageandlostincome.

As a business manager, leader or owner, you have a duty of care to manage information security and mitigate the risks.

...That's where ISO 27001 can help!

Nowaquestionforyou...

Whenwasthelasttimeyoureviewedyouronlineprivacypolicy,doyouknowwhatitsays,theimplicationsitputsonyouandhowyouare

performingagainstit?

Youshould!

HR AND INFO SECURITY7.

Becauseofthehumanelement,HRhasabigroletoplayinanorganisations’InformationSecurityManagement. From hiring the right people, tosettingthepoliciesandpolicingthem-HRisattheheartofthis.

2truestoriesfromtheSeriousCrimeDirectorateofKentPolice:

7.1Essexbased companyhad a disagreementwiththeir senior IT employee. This resulted in thecompany dismissing the employee and as aparting shot telling him he would not be paidanythingfurtherbythem.

The company however, didn't take swift actionin removing the now ex-employee from theirnetwork.Assuch,withinadayhe'dgainedremoteaccess to their system and destroyed key filesrequiredtooperatetheirbusinessandcorruptedthebackupfiles.

Althoughthesuspectwasarrestedandiscurrentlyonbail,thisdoesn'tretrievethosefilesbackforthecompanyandthey'eonlynow,some3monthslater,startingtooperatemoresmoothly.

OPERATIONQUEST

Confidentialityclauses;

Non-disclosureagreements;

Dataprotection–helpingtodefinesensitiveemployeeinformation;

Employeehandbookwithrelevantpolicies;

•

•

•

•

ITusageEmailusageInternetusageDownloadingprograms3rdpartysoftwareCleardeskandclearscreenpoliciesBribery,ethicsandbusinessprotocols

•••••••

AnITemployeefromaKentbasedcompanyleftandjoinedarivalcompanytakingtheusernameandpasswordfortheITsystem.

7.2 OPERATIONJEROME

Thiswasprovidedto5companydirectorsofhisnewcompany.Overalargeperiodoftimethey’veusedtheprovidedcredentialstointrudeontothevictim’s server and obtain confidential businessinformation,allowingthemtotakeovercustomercontracts by undercutting pricing. Currently inthecourtprocess.

These stories illustrate perfectly why HR,alongsidelinemanagersandpeoplemanagement,mustbecloselyinvolvedwiththeISMS.HerearesomeoftheareaswhereHRcancontribute:

Terminationofemployment;

Passwords;

Recruitmentpolicies;

Employeehealthandpersonaldetails.

•

•

•

•

Yourphysicalsecurity'smostlikelyinplace;withdoors locked and alarms set when you’re notthere. Your firewall, spam filters and antivirusarealsomost likelyupand running24/7.You’llalso have some written processes, procedures,waysofdoing things,checklistsandmonitoringin place.

Allthatmeansyou’rewellonyourwaytohavingan Information Security Management Systeminplace.HavinganISMSinplacemeansyou’vealreadycompletedstep1inprovingtoeveryonethatyourdataissecure.GainingcertificationtoISO27001givesyoustep2;andultimatelytheproof.

STEP 1, STEP 2, PROOF...8.

ISO 27001 proves you take Information Security

Management seriously

Now you can prove to your customers, bothexisting and potential, that you not only takeinformationsecurityseriously,butthateveryonein your organisation is information securityaware, and that you have systems, processes,proceduresandmonitoringinplacetomakesureeverythingisright.

An effective ISMS means everyone and everything in the organisation is involved

8.1Nowyouhavecontentcustomers,you’llalsostarttoexperienceanumberofotherbenefits:

BENEFITS OF ISO 27001

Attractingnewcustomersiseasier;

Happier,moreconfidentcustomerswhobuymore;

Reducingcostswithlesswaste;

Gapsandloop-holesplugged;

Morestreamlinedbusiness,asduplicationisremoved;

Access to more customers. You’ll be ableto pitch for tenders where ISO 27001 isstipulatedasmandatory;

Trust increases as customer relationshipsbecomestronger;

You'reperceivedbetterthanyourcompetitorswhodon'thaveISO27001;

Raisesstandardsfromyoursuppliers;

Happier employeeswho knowwhat to do,when to do it and most importantly whythey’redoingit;

Reducerisksofcyber-attacks;

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

Higherqualitycustomerservice;

Reducedtimespentcompletingtenders;

Noproblems to solveorcomplaints todealwith;

Your employees become the ‘informationsecuritypolice’andensureallemployeesdoitright.

12.

13.

14.

15.

ISO 27001 delivers more than proof... It saves money too

WHAT YOU NEED TO CONSIDER9.

Aswithanythingnew inanorganisation, it hasto be driven from the top; so great leadershipis needed. You’ll need an ‘ISO champion’ witha public mandate to implement the ISMS, asdirectedbytheseniormanagementteam.

You’ll need tocomplywithDataProtectionAct1998andanycodesofpracticeand/orregulationsforyourindustry.Thesearevaried,butmostwillalso help towards your ISMS and gaining ISO27001.

You’llneedtounderstandexactlywhatneedstobeprotectedandwhy.Thenyou’llworkon thehow-data,IP,processes,personaldetails

of employees and customers, payments, tradesecrets,etc.

A commitment to ongoing improvement isneeded.Youcan’ttakeyoureyeofftheballonceyouhaveyourcertificate–youhavetomaintainit.There’llbeanannualaudittomakesureyou'restilluptoscratch– ifnotyou’ll risk losingyourcertification.

As this diagram shows, ISO 27001 is astep towards a better Information SecurityManagementSystem,but therearemanyothercyberrisksthatcouldhityourorganisationwhichdon’tnecessarilyfallunder‘information’.

CSASTAR

CYBER ESSENTIALS

ISO 27001

POLICY&PROTOCOLS

FIREWALL/ANTI-VIRUS/ENCRYPTION

PHYSICAL(LOCKS,ALARMS&PADLOCKS)

CYBER CRIME

PHISHING

FRAUD

HACKING

THEFT

9.1Thisisagovernment-backed,industrysupportedschemetohelporganisationsprotectthemselvesagainstcommoncyber-attacks.It’sasetofbasictechnicalcontrolsfororganisationstouse.BackedbytheFSB,TheCBIandanumberofinsuranceorganisations; itenablesorganisationstogain1of2newCyberEssentialsbadges.

Interestingly, the government requires allsuppliers bidding for certain sensitive andpersonal information handling contracts to becertifiedagainsttheCyberEssentialsscheme.

CYBERESSENTIALS

CSASTAR(Security,TrustandAssuranceRegistry)refers directly to cloud computing. While notcurrently demanded by government or otherorganisations,it’sbeendevelopedtoanswertheconcerns of the Cloud Security Alliance (CSA).TheCSAalsodevelopedtheCloudControlMatrix(CCM).

CSA STAR will help businesses adopt cloudservices-ascloudserviceproviders,inparticular,cangivecustomersproofthatthedatatheyholdissecure.

9.2 CSA STAR

TheAssociationofBritishInsurersdefinescyberinsurance as ‘covering the losses relating todamageto,orlossofinformationfromITsystemsandnetworks’.

Theirwebsitehasawealthofinformationaboutwhatisandisn’tcovered,aswellasinformationforyou todecidewhetherornotyouneed theinsuranceprotection.

CYBER INSURANCE9.3

CERTIFICATION PROCESS10.

Outside of the various training courses andseminarshelpbyCertificationBodies,manyoffera‘PreAssessment’or‘GapAnalysis’serviceaheadoftheformalcertificationprocesstoidentifyanyomissions or weaknesses. Alternatively, somechooseatthispointtouseaconsultanttogiveadded confidence. Again, many CertificationBodieshaveananswertothis, in theformofaconsultant register.While they'renotpermittedto recommend consultants, they can providedetailsofspecialistswhoareknowntothem.

10.1 PRE-ASSESSMENT

The 1st assessment, referred to as a ‘Stage 1’Audit isadocumentreview,withtheaimbeingto establish that – on paper at least – you’reconformingtoalltherequirementsofISO27001.

ThelengthoftheAuditisdeterminedbyfactorssuchasyourorganisationssizeandtheindustryyou’rein.Thiswillinfluencethecost,soyou’llbeinformedof theamountoftimerequired in theformofanAuditPlaninadvance.

OncetheStage1Audit isfinished, there’llbeaclosingmeetingtoround-upthefindings.You’llbeprovidedwithareportdetailingwhathappenedduring theAudit,withanoverviewofanynon-conformities.

10.2 STAGE 1 AUDIT

Inordertoberecommendedtomoveforwardtothe ‘Stage2’Audit,you’llneedtocloseoutanynon-conformities by establishing a CorrectiveAction Plan. Much like a driving test, non-conformities are separated byminor andmajorvariants. Whereas major variants need to beacted on immediately, minor non-conformitiescanbereviewedatthenextAudit.

TheAudititselfisaboutdemonstratingthatyourorganisation’s living and breathingwhat you’vedocumented. Your Auditor will therefore needtomeetwithmanagersandstaff,aswellasseeevidenceofyourInternalAuditsandmanagementreviews, as documented in the requirements ofthestandard.

All being well, you’ll be recommended bythe Auditor for certification. However, this’llrequirefinalsignoffbytheCertificationBody’scompliance department. You’ll then receive areport and any non-conformities will need tobeactedonbeforecertificationcanbeformallyawarded.

10.3 STAGE 2 AUDIT

DuringAudits,AuditorsareencouragedtoshareOpportunities for Improvements (OFIs) in thespirit of establishing an ethos of continuousimprovement.

ThesearereviewedatSurveillanceAudits,whichmust occur at least annually. In the meantime,youshouldmaintainascheduleofInternalAuditsandmanagementreviews.

Most Certification Bodies issue certificates in-line with the 3 year certification cycle. Every3rd year, a ‘Re-Certification’ audit is carriedout.WhereasaSurveillanceAuditwill focusonimprovement areas found in previous audits,theRe-CertificationAuditmust cover all of thestandard’srequirements.

As a result, it can take longer than the morefrequentSurveillanceAudit,andcostmoreasaresult.

10.4 ANNUALAUDIT

There were more than 148,000 victims of fraud in the UK in 2015 -a 56% increase since 2014

USING A CONSULTANT11.

The alternative for seeking out internalrepresentation is to look for a specialist ISOconsultant in ISO 27001. There’s an extensivenetworkworking inthefieldof the InformationSecurityManagementStandards.

Aconsultant’softenusedforverydifferentreasons,dependingonthesizeoftheorganisation.Whileasmallbusinessmayrequirethehands-onhelpfrombeingresourcelimited;alargerorganisationmay have the required manpower, but feelexpertise is required to maximise efficiencyopportunitiesandensuretheorganisationmeetsmorecomplexlegalrequirements.

Being in a position of reliance has its dangers–while a consultantmayhelpovercomeshort-term challenges, there’s a risk that long-termdependencycouldnegatethecost-benefitfromimplementingISO27001.

Itcouldbecomeattractivetosimplyleaveallthingsrelated to information security management tothe consultant. The downside though, is thatwhilethismayensureyourorganisationcontinuestomeettherequirementsofthestandard,you’llfail to reap the rewards due to a lack of teamparticipation.

Your decision will ultimately be based on yourmotivation to implement ISO 27001. Thepotentialissuedescribedmaynotbeconsidereda problem if certification will lead to lucrativeworkinthelongrun.

However, ensuring your consultant works toengage, involve, train and empower your staffmeansyou’ll avoid ISO27001simplybecominga cost to the business if thevaluable contractsdryup.

When seeking a consultant, sector-specificexperienceislikelytobethemostkeyfactorforchoosing the most appropriate person for thejob. In combinationwith an impressive CV andcollectionoftestimonials,it’sanotableadvantagefortheconsultanttohaveauditingexperience

With some requirements of ISO27001 comingdown to interpretation, having a qualifiedconsultantactingonyourbehalfmeansyoucanhaveconfidence ifchallengedbytheAuditorofyourCertificationBody.

The average total cost of a data breach in 2015 increased to £2.53 million, from £2.37 million in 2014

CHOOSING A CB12.The financial industry has the FCA, holidaycompanies have ABTA, but there’s no suchmandated regulatory body for CertificationBodies. As a result, there’s no protection forthose who mistakenly choose the wrong path.It’scritically important tomaketherightchoicebeforesigningonthedottedline.

Driven by government contracts requiringcertification, the UK represents a significantproportionofworldwideISO27001certificates.This demand has created an environmentfor opportunists to take advantage of thoseorganisationwhorequirecertificationurgentlyinordertoqualifyforacontract.

While the majority of Certification Bodiesseek to demonstrate their competence andcredibilitythroughaccreditationfromUKAS,theUK’s National Accreditation Body, others havesought "accreditation" from alternative bodies.WhereasUKAS is recognisedandsupportedbyGovernment,thealternativesarerecognisedonlybythemselves.

The long-term issue with this is that, oncespotted,non-UKAScertificatesareoftenrejectedand–justasimportantly–thecredibilityofISOstandardsasawholeisdiminishedbythosenotimplementingthemintheintendedspirit.

UKAS’ role is to ensure Certification Bodiesmeet the ISO 17021 standard for conformityassessment. Achieving accreditation fromUKAS involves a rigorous head office reviewof management, policies and procedures.Certification Bodies must also pass a test oftheir competence via Witnessed AssessmentsundertakenbyUKAS.

Often, Certification Bodies without UKASaccreditation claim to be a ‘one stop shop’ forconsultancy and certification, in an effort tomarketthemselvesasthemostconvenientoption.However,thisisindirectviolationofISO17021’srequirements–CertificationBodiesmustremainimpartialandcanonlyprovidecertification,andnot consultancy.

7.1

For most, certification and accreditation areinterchangeableterms.However,intheworldofISOstandards,thereisahierarchy–CertificationBodiesareaccreditedbyNationalAccreditationBodies.Asa result,anorganisationcanonlybeISO27001certified,not‘accredited’.

CERTIFICATION OR ACCREDITATION?

THE COST OFISO 2700113.

Costsofimplementationhavebeenleftuntillast,as the chosen approach will have a significantimpact. It’s a realistic ambition for an SME toimplement and achieve certification to ISO27001withoutexternalassistance,andcostswillbereducedasaresult.

It’simportanttoassesstheimpactoftheresourcesrequired and it’s important a cost-benefitassessmentiscarriedoutagainstotherpotentialinitiativesandinvestmentstheorganisationcouldbemaking.

AllCertificationBodiesfollowasimilarapproach,as cost is ultimately influenced by the timerequired toAudit, the amountwhich is derivedfrom an industry-agreed calculator that takesintoaccount:

Staffnumbers;

Industry;

•

•

A small company in the service industry mayrequire just a couple of days of Auditing forthe whole certification process, thanks to therelativesimplicityofitsprocesses.Ontheotherhand, days required to Audit a large multi-sitemanufacturingsitecouldmoveintoweeks.

Aslongasasiteduplicatesactivitiesofanother,itcanbe‘sampled’.RatherthanAuditeverysiteatgreatcost,visitscanberotatedwithinthe3yearcertificationcycle.

Theorganisation’sindustrysectorandcomplexitymeansonlycertainAuditorshavetheappropriateknowledge, experience and qualifications toAudit. This’ll have a knock-on effect for costs,with Certification Bodies typically chargingbetween£600–£900perday.

Bewareofhiddencostson topof theAuditing!Managementandtravelfeesareoftenexcludedfromquotations.It’salsoimportanttocheckthelengthofacontract,asalowerfeemayindicatelessflexibilityintheformofalengthyagreement;where3yearsistypical.

Increasingly, Certification Bodies will quotea package cost inclusive of the Stage 1 andStage 2 Audits, as well as the compliance andadministration aspects. Despite this trend, it’sstillimportanttocheckforhiddencosts.

Thesesameprinciplescanbeappliedlooselytothe cost of using a consultant.With day ratesrangingfrom£400-£1000aday,it’llbeimportanttobalancethelevelofsupportrequiredwiththevalueitwilldeliver.

Complexityandrisk;

Numberofsites.

•

•

13.1 ONGOING COSTSMaintaining certification to ISO 27001 issubject to an Annual Surveillance Audit. SomeCertification Bodies will expect to see anorganisation atmore regular intervals basedontheirsizeandcomplexity–butthisisn’tmandatedbythestandard.

ANDFINALLY...14.Wehopethatyou’vefoundthisWhitePapernotonlyinteresting,butinformativetoo!We’reonamissiontomakesurethatbusinesseshavegreatmanagementsystemsinplacesotheycanoperatemoreeffectivelyandefficiently,havehappiercustomerswhobuyagainandagain,andnewcustomersclamouring tobuy too. In theend, ifbusinessesmakemoremoneyandorganisationsareable toreducecosts,thenwe’reproudtohavehelped.

TheBritishAssessmentBureauworkswithawideanddiverse rangeofclients, fromsole traderstogovernmentdepartments.Eachoneofourclientshasuniquerequirementsandwerelisheachchallenge.However,weneverforgetthatit'syourbabyandthatyou'llalwayswantthereassuranceofasafepairofhands.

Wehaveover40years’experienceinthecertificationindustry,winningmultipleawardsalongthewaytohelpdemonstrateourcommitmenttodeliveringthebestservicepossible.WecertifyorganisationstoISO9001,ISO14001,OHSAS18001andofcourse,ISO27001.

If you'd like to find out more;

Visit our websitewww.british-assessment.co.uk

Call us on 0800404 7007. We're looking forward to talking to you.

Stay connected on social media;

Facebook | Twitter | LinkedIn | Vimeo