ISO 27001 beginners guide – 5 key steps

Many businesses are now preparing or considering getting ISO27001 accredited, and it’s something you really should consider implementing if you host any kind of remotely sensitive information. This is the first in a short series of posts  – an ISO 27001 and Information Security beginners guide.

What is ISO 27001 certification

An ISO 27001 certification means that a regulated 3rd party auditor comes into your business, looks at your Information Security processes, people and records, and certifies you as compliant with the ISO 27001 standard (or not!).
The standard documents a huge array of security measures – you decide which ones are applicable to your business.

5 key steps for an IT business

If you’re preparing for ISO 27001 at some point, here are some key things that an IT related business can start doing to be prepared. These 5 steps greatly improve what the experts call your security ‘stance’.
Maintain a risk register – a prioritised list of risks that you are either mitigating or accepting. This must be updated regularly as new risks arrive.
Security screen your staff – this includes the obvious stuff like CRB, reference and ID Checks – but you’d be surprised how many folk don’t do this.
Log EVERYTHING! So record pretty much everything you do related to security. Log security related meetings that you have had (even for just 2 people), log training sessions, log security incidents. This all helps the auditor get a feel that you are doing what you say you do.
Screen suppliers – making sure all suppliers are secure too (our select few suppliers are iso27001 and government accredited)
Secure development – Make sure your developers are following good secure development principles
if you’d like some help getting started with ISO 27001, do feel free to get in touch, I’d be happy to give you some pointers. It took us about 6 months to get certified, and if you’re looking at doing this, do it soon – it’s easier when you’re small and growing.
This is the first in a series of posts about ISO27001, future topics include the 2 types of certification, risk treatment, choosing an advisor, common terms, and some example templates. Let me know if there’s anything you’d like to see!