Business Information Security


Nicola Brown

Protecting a company\’s assets was until fairly recently, largely a matter of locks, keys and monitoring individual employees and visitors.

However in a few short years electronic data security rapidly overtook physical security as the key vulnerability to be addressed by any organisation wishing to survive in the new digital environment.

Information security management has become a key business discipline and adoption of standards relating to it bring companies a number of benefits.

The ISO/IEC 27001 Information Security Standard

ISO/IEC 27001 is the internationally agreed specification for information security. It requires that management:

  1. Systematically examines the organisation\’s information security risks.

  2. Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment.

  3. Adopts an overarching management process to ensure that their information security controls continue to meet the organisation\’s information security needs on an ongoing basis.

An Information Security Management System (ISMS) is an integral part of attaining and maintaining the ISO 27001 standard. An ISMS is a set of policies that brings information security under explicit management control.

The governing principle behind an ISMS is that an organisation should design, implement and maintain a set of processes and systems to manage threats to its information assets. Thereby ensuring acceptable levels of information security are maintained over the long term.

Benefits of adopting ISO/IEC 27001

Many information security incidents are entirely preventable and the implementation of an Information Security Management System (ISMS) enables businesses to have a stronger information security presence and reduce the impact of incidents and costs resulting from a weak infrastructure.

ISO/IEC 27001 also incorporates the Plan-Do-Check-Act scheme. This allows the ISMS security system to be reviewed, updated and tailored on a regular basis to ensure it remains relevant and effective for the organisation.

ISO 27001 provides a company with assurance, knowing that the information which they hold is contained and monitored in a secure manner. It provides a framework for companies looking to enhance their Information Security Management System and develop and enhance best practice.

It can also be a deciding factor in contract tenders. Having ISO 27001certification instils confidence and raises the general perception of the company.

Implementing an Information Security Management System (ISMS)

External consultants such as London-based QCC Information Security are qualified lead auditors with first hand experience of the implementation of the required clauses and controls from this industry best practice.

They use their expertise to help:

  • Adapt the ‘Plan-Do-Check-Act’ scheme to tailor the ISMS for each organisation.

  • Reduce the complexity of security controls and distil a clear and prioritised set of objectives.

  • Implement a risk based approach that is manageable and understood by the organisation.

  • Develop a security policy that is simple, concise and easily understood by your staff, ensuring they understand their security obligations.

In addition, external consultants will support you in a review of your existing security framework and help you understand whether your security controls are addressing the real threats to your assets.

Article Source:

About the Author

QCC Information Security have a team of highly experienced consultants ready to help you implement and maintain the required clauses and controls of your ISO 27001 ISMS.

Leave a Reply