What is ISO 27001?
ISO 27001 is an international standard for information security management systems (ISMS). It provides orientation for companies of all sizes with regard to the planning, implementation, monitoring and optimization of information security. It also takes into account the individual risks in the company in connection with guaranteeing the protection of both data and IT. As such, your company can not only protect itself from attacks, but also from unplanned interruptions in operations, the loss of sensitive data and damage to its reputation.
ISO 27001 comprises the following:
- Risk management
- Security policy
- Organization of security
- Classification and monitoring of company assets
- Physical and environmental security
- Management of communication and operation
- Access control
- System development and maintenance
- IT incident management
- Management of continuous business operations
- Compliance with obligations (legal and customer-specific)
What are the advantages of certification to ISO 27001?
With certification to ISO 27001 from TÜV Hessen, you document the security and quality of your business processes to customers and demonstrate that you comply with international standards. You also benefit from the following:
- Minimization of IT risks
- Competitive advantage with an internationally recognized standard
- Company-wide risk management
- High degree of transparency and trust – toward customers and partners
- Proof that your organization works in a secure manner vis-à-vis lawmakers, customers, partners, insurance companies and suppliers
- Monitoring and optimization of IT security
- Appropriate and long-term guarantee of availability, confidentiality and integrity
- Discovery of weaknesses
- Comprehensive awareness for the protection of all information – regardless of how it is presented and/or stored
- Eases the burden on management through fulfillment of the duty of care
- Reduction of liability risks, if necessary also by reversing the burden of proof
- Compliance, for example with data protection laws
How does certification take place?
First, we hold an information meeting with you in order to determine the scope and area of application for the certification in a prudent manner. This forms the basis for a differentiated offer.
Audit stage 1 – readiness assessment
The actual certification process starts in phase 2. The objective of stage 1 of the audit is to assess readiness for the certification on site. The results are documented in a written report.
Audit stage 2 – certification audit
The audit (stage 2) is also conducted at the company premises. The aim of this is to evaluate the implementation and effectiveness of the ISMS.
Awarding of certificate and monitoring
After a positive certification decision, a certificate is issued with a validity of three years. During these three years, two monitoring audits are performed at planned intervals, in which the application and effectiveness of the ISMS is assessed through random checks.
What requirements does a company need to meet for certification?
For successful certification to ISO 27001, the requirements include the following:
- Establishment of risk management
- Execution of a risk assessment
In addition, there are requirements relating to your information security management system documentation:
- Definition of values / security policy
- Definition of scope of application of the ISMS, processes and procedures
- Documentation of a systematic risk analysis
- Statement of applicability of the ISO/IEC 27001 standard