Information security policy: ISO 27001
Organisations hold an inconceivable amount of information. A lot of it is often confidential and privacy sensitive. So that information should not be allowed to go public. And if it does? There can be far-reaching consequences. This means that as a business owner, you must implement proper protection for all the information your company holds. Would you like to demonstrate that your organisation does indeed handle information securely? An ISO 27001 certificate shows that your information security policy is indeed in order. This blog explains just what the ISO standard entails, and how complying with it strengthens your organisation. You will also learn how to obtain the ISO 27001 certificate, and how DEKRA can assist you with this.
What is the ISO 27001 information security policy?
ISO 27001
is a globally recognised standard for
information security.
This certification lets you implement a sound information security strategy for your organisation. In doing so you meet not just the legal requirements, but also the expectations of customers, employees and other stakeholders.
Why does ISO 27001 ensure a good information security policy?
You can consider ISO 27001 as a means of getting your information security policy in order. But why is it so important? And what benefits does it bring?
1. You meet your customers’ requirements
Customers impose increasingly stringent demands on how companies handle their data. Often, they even ask to see ISO 27001 certification when tendering. So, holding this certificate can be a requirement for winning a contract. It proves to customers that their information is in good hands.
2. You seize commercial opportunities
ISO 27001 can be the clincher in persuading potential customers to do business with your company. The certificate proves to your customers that you take your information security seriously. You also increase your edge over any competitor not holding a certificate.
3. You protect your reputation
Managing risks properly can significantly reduce the risk of reputational damage. In acquiring ISO 27001 certification, you first identify your information security risks. Then you work to reduce the inherent risks. So, you are working proactively, not reactively.
4. You create awareness in the workplace
Achieving ISO 27001 creates awareness among employees. This reduces the risk of incidents and any reputational damage.
5. You can assume that you comply with European laws and regulations
This gives you access to national and international markets. Holding an ISO 27001 lets you rest assured that you are in compliance with the information security laws and regulations.
How do I obtain ISO 27001 certification?
Are you having yourself certified by DEKRA for an ISO 27001 information security policy? Then you should assume it will be a six- to nine-month process, entailing the following steps:
- 1. We perform an audit of your documentation, looking at your risk analysis, for example.
- 2. We perform an audit of the implementation, among other things considering the effective functioning of the management system.
- 3. You receive the certificate, valid for up to three years.
- 4. We conduct a follow-up audit every year.
- 5. Recertification occurs in the third year. We conduct another audit, after which you can receive a new certificate.
You may also opt to begin with a trial audit prior to the actual certification process. We then assess and check the Information Security Management System (ISMS) documentation for completeness and conformity with the standards. This audit is not compulsory, but it is useful. It’s a good way of discovering just how your organisation is doing prior to the actual process. And you can still take action where needed. This increases your chances of a positive outcome for the real audit.