Information security with ISO 27001 certification
ISO 27001 is part of a series of standards covering the protection of information assets of various kinds. The complete series consists of around fifty different standards that cover everything from network security to incident management, risk management and software security. By working based on a management system, your entire organization gets better protection for the organization’s information assets.
We help your organization with the management system
Our consultants have worked for a very long time with ISO 27001 and have deep knowledge of management systems. Together, we have guided both large and slightly smaller companies towards certification. As ISO 27001 also affects many of our other services, it is also something that we are really good at.
This is what we help with in an ISO 27001 certification:
- Layout and project management
- Training and support efforts
- Management of the work
- Support in ISO 27001 certification
Information security management systems create protection
Protecting invaluable assets, such as personal data or customer information, is a matter of course in today’s information society. But protecting assets that store, transmit or process the information in a network is more difficult. This is where ISO 27001 comes in. By understanding which assets are worth protecting, we can design a tailored system of rules and procedures for the business that help increase information security. This system must also be based on a risk analysis, so that we focus efforts on handling incidents that are likely and can have major consequences for the business. Some things are also governed by laws, customer or supplier requirements, which we also have to keep in mind when we design the governance.
Do you want to know more?
Contact us and we will help you get started with your ISO 27001 certification.
”Secify set structures and showed the way, but also inspired us to find new working methods and solutions within different parts of the business”
Victoria Ronge, CEO WinLas
Några av våra kunder
Scope of ISO 27001
A project within ISO 27001 can be a very extensive work. Therefore, it is important to clearly define a limited area (scope) within which we want to increase information security. Smaller businesses can cover all of their processes, but larger companies benefit from picking out specific parts. This could include, for example, a computer hall, the case management process or IT supply. This makes it easier to move forward while the knowledge of information security and ISO 27001 increases within the business. Often, the requirements for information security from customers or other stakeholders are also aimed at a specific part of the business, and then it pays to start there.
A common approach within ISO 27001 is to focus on technical solutions right from the start. Technical solutions are very useful for managing certain risks, but can complicate it in other contexts. Excessive requirements for passwords, two-factor authentication, encryption of documents and restrictions to certain premises often steal important time from the core business and make people feel distrusted and lose engagement. In addition, we have seen that staff find their own unsafe shortcuts to circumvent an overly tight security.
It can be at least as smart to train staff and refrain from handling overly sensitive data, or perhaps transfer responsibility to suppliers or customers through agreements. Certain risks can also be accepted without endangering customers and business for the sake of it. ISO 27001 sets very few absolute requirements, but instead allows the organization to design its protection according to its own needs.
The path to an ISO27001 certification
The standard sets clear requirements for systematics and criteria for analysis of risks and measures. The criteria come first, then risks must be identified and evaluated systematically. When the criteria are set first, there is less doubt and discussion about what actually needs to be addressed once the evaluation of risks starts. This is an example of what a plan for ISO 27001 might look like.
- Start of the project for ISO 27001
We start the ISO project by doing an ISO analysis. It gives us a better picture of how your organization works and highlights what needs, expectations and goals exist. We then agree on which or which parts of the organization (scope) are to be included in the ISO project.
- Planning / analysis
We set up a plan for how we will continue the work with the management system and establish processes for how we will find, analyze and manage security risks in the organization.
All plans and processes are underway. It is now that operational security work begins and the management system itself is implemented in the organization’s daily work.
We examine what worked and what did not work in the implementation phase. We then make the necessary changes to improve the result and ensure that routines for future improvements work.
- Certification for ISO 27001
Here are answers to the most common questions about ISO 27001. Do you have a question that is not listed? Use the contact form further down the page.
Yes, there are more information security management systems, including NIST CSF and ISF.
After you have been certified, you undergo annual audits to ensure that the organization continues to meet the requirements of ISO 27001. Every three years, recertification is done, which is a slightly larger audit.
The purpose of ISO 27001 is to increase safety in the organization through the work of the management system.
No, not everyone currently needs to have an ISO 27001 certification. But there is a strong indication that some organizations covered by NIS2 will have management systems work as a requirement.
In order to be certified, it is required that you work with information security in a systematic way and meet the requirements set by ISO 27001. The word certification itself means approved audit. In order to be certified, it is then required that you first undergo a certification audit.
The need for a management system for information security (LIS) often comes in the form of a requirement from a supplier, subcontractor, partner, authority or regulation.
ISO 27001 gives the organization a standardized way of working with safety. In other words, the organization begins to work from a best-practice way that is developed by IT and information security experts on how best to work with security in their organization.
It is absolutely possible to work towards a certification without necessarily being certified. What you gain from such work is increased security that permeates all layers of the organization.
It is possible to carry out an ISO work without external help. Unfortunately, that route often takes much longer than hiring a consultant. A good idea is to buy the standard and then read through and build your own framework that you implement in your organization through various efforts such as processes and routines, training and security-enhancing measures.
After the management system has been introduced and the organization has passed an internal audit, an independent certification body must review and assess the organization / management system to ensure that the requirements are met. If the audit is approved by the independent body, the certification is granted.
How long it takes to be certified depends above all on how security mature you are as an organization, i.e. if you have worked with information security before and have certain processes already completed. Other parts that affect are how big you are as a company, what priority the certification has and which scoop we choose to be certified. As a rule, it takes an estimated 6-12 months, but we have had projects that have taken longer.
The entire organization becomes more resilient to cyber attacks. Awareness, technical and organizational measures to increase security are put in focus and permeate the entire organization. In addition to that, a certified organization fulfills many of the requirements that partners can set for a collaboration.
ISO 27001 is a management system for information security. By using it in your organization, you get a standardized way of working based on all aspects of security.
If this seems interesting to your company, you can either send a message using the contact function, or simply pick up the phone and call.
We also offer services within data protection and penetration testing.
Phone: 020 – 66 99 00
Visiting address: Östra Storgatan 67, Jönköping