ISO/IEC 27001: Everything you need to know

As a small business owner, adopting best practice cyber security may not be at the top of your to-do list, but it should be. How much is data protection worth to you?

As an international standard for information security in the workplace, ISO/IEC 27001 is suitable for any and all businesses. To answer your questions about the process, procedure, and benefits, including the all-important first stages of your audit, here are some FAQs surrounding ISO/IEC 27001.

What is ISO/IEC 27001?

ISO/IEC 27001 is an international standard for information security and cyber protection. It details best practice information security in a way that’s actionable for your organisation. Through the process of ISO/IEC 27001 certification, you’ll implement important procedures into your business processes that will protect you against security breaches and dangerous online activity.

Who needs ISO/IEC 27001?

Because businesses around the world are becoming increasingly reliant on technology, data is valuable for everyone and therefore, information protection should be a priority for all organisations, no matter your size. Not only will it safeguard your information and make your business watertight, but it will also boost your own credibility and improve the service you deliver to customers and clients.

Do small businesses need to think about information security?

Just because a business is small doesn’t mean it’s not immune to digital threats. In fact, small businesses often have to be even more mindful than larger ones because they may not have the money or resources to rectify the damage caused by cyber-attacks. So, the answer is yes: all businesses need to make information protection a priority – no matter your size.

What are your cyber security responsibilities as an employer?

As an employer, it’s your responsibility to prevent information interception and theft, as it can severely damage your company’s reputation. You must set out rules and regulations for controlling this risk.

What are the benefits of ISO/IEC 27001?

ISO/IEC 27001 has many measurable benefits for your business. We’ve identified what we believe the five key benefits of the certification to be:

1. Improved security
2. Implemented controls
3. It aligns with current management systems
4. It creates a culture of continual improvement
5. Awards you with a mark of quality

How much does ISO 27001 training cost?

We recommend a training course if you want to know how to plan and prepare for your ISO/IEC 27001 certification. The cost of this will depend on the levels of training you require. You can expect this to cost between £1000 and £2500.

What is the statement of applicability for ISO/IEC 27001?

The Statement of Applicability (SOA) is a key component of ISO 27002. It’s a framework of policies surrounding the legality, physicality, and technicality of your information protection procedures. Completion of the SOA is a requirement for your certification.

What’s the difference between ISO/IEC 27001 and ISO 27002?

Where ISO/IEC 27001 is a management standard, ISO 27002 is more like a code of practice for security controls, outlining best practices for your data protection procedures. Businesses that are in the process of implementing ISO/IEC 27001 are required to use ISO 27002.

Does ISO/IEC 27001 cover the risks when employees bring their devices to work?

You can align your bring your own device (BYOD) security policies with controls outlined in your ISO/IEC 27001 documentation. ISO/IEC 27001 can help you prepare for employees bringing their own devices and lets you implement plans to help mitigate breaches.