It would be unusual for a finance or insurance sector company to have no controls in place to manage information security. However, this is often because security-savvy IT staff know how to configure their systems securely and not necessarily because there is a structured Information Security Management System (ISMS) in place. IT departments are often good at technology but not as good at structure, policy and management systems.

Many IT departments introduce security controls in a haphazard way. Typically, ‘point solutions’ are introduced to provide specific solutions for specific problems. Others are introduced simply as a matter of convention. Such a random approach to security policy will only address some of the aspects of IT or data security, and can leave valuable non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. The ISO/IEC 27001 standard was introduced to address these issues.


    Top faqs About iso 27001

    What are the Requirements of ISO 27001?

    ISO/IEC 27001 specifies a formal management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates certain requirements. Organisations that claim to have adopted ISO/IEC 27001 can, therefore, be formally audited and certified as compliant with the standard.

    ISO/IEC 27001 requires that the organisation’s management:
    Takes a structured approach to examining the organisation’s information security risks, which takes account of the threats, vulnerabilities, and impacts.

    Designs and implements a coherent and comprehensive set of information security controls or other forms of risk treatment (such as risk avoidance or risk transfer) to address the risks that are deemed unacceptable.

    Adopts a management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.

    The business benefits of ISO 27001 certification are considerable. Not only do the standards help ensure that a business’s security risks are managed cost-effectively, but the adherence to the recognised standards sends a powerful message to customers and business partners.

    ISO 27001 provides structure for monitoring, reviewing, maintaining and improving a company’s information security management system and will give partner organisations and customers greater confidence when they interact with your business.

    Security is high on the agenda of many of your customers and they want to deal with suppliers that can show that they take security seriously themselves. Some customers will now only deal with suppliers that are ISO 27001 certified.

    • ISO 27001 is the de facto international standard for Information Security Management.
    • It demonstrates a clear commitment to Information Security Management to third parties and stakeholders.
    • It can provide a framework to ensure the fulfilment of commercial, contractual and legal responsibilities.
    • It provides a significant competitive advantage, and can effectively be a license to trade with companies in certain regulated sectors.
    • It provides for inter-operability between organisations or groups within an organisation.
    • It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.

    Our approach to most ISO 27001 engagements is to initially carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This provides us with a clear picture of the areas where companies already conform to the standard, the areas where there are some controls in place but there is room for improvement and the areas where controls are missing and need to be implemented.

    For some organisations, this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and implementation of suitable controls and policy documentation that will be required to meet the standard.

    Working with

    to help your own suppliers implement security standards including ISO 27001 can also can be an important part of your supplier management program.  It addresses an important area of you Information Security Management System and  strengthens the relationship with your key suppliers.