ISO 27001 for Finance and Insurance Companies

ISO/IEC 27001 specifies a formal management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates certain requirements. Organisations that claim to have adopted ISO/IEC 27001 can, therefore, be formally audited and certified as compliant with the standard.

ISO/IEC 27001 requires that the organisation’s management:
Takes a structured approach to examining the organisation’s information security risks, which takes account of the threats, vulnerabilities, and impacts.

Designs and implements a coherent and comprehensive set of information security controls or other forms of risk treatment (such as risk avoidance or risk transfer) to address the risks that are deemed unacceptable.

Adopts a management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.

The business benefits of ISO 27001 certification are considerable. Not only do the standards help ensure that a business’s security risks are managed cost-effectively, but the adherence to the recognised standards sends a powerful message to customers and business partners.

ISO 27001 provides structure for monitoring, reviewing, maintaining and improving a company’s information security management system and will give partner organisations and customers greater confidence when they interact with your business.

Security is high on the agenda of many of your customers and they want to deal with suppliers that can show that they take security seriously themselves. Some customers will now only deal with suppliers that are ISO 27001 certified.

• ISO 27001 is the de facto international standard for Information Security Management.
• It demonstrates a clear commitment to Information Security Management to third parties and stakeholders.
• It can provide a framework to ensure the fulfilment of commercial, contractual and legal responsibilities.
• It provides a significant competitive advantage, and can effectively be a license to trade with companies in certain regulated sectors.
• It provides for inter-operability between organisations or groups within an organisation.
• It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.

Our approach to most ISO 27001 engagements is to initially carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This provides us with a clear picture of the areas where companies already conform to the standard, the areas where there are some controls in place but there is room for improvement and the areas where controls are missing and need to be implemented.

For some organisations, this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and implementation of suitable controls and policy documentation that will be required to meet the standard.

Working with

to help your own suppliers implement security standards including ISO 27001 can also can be an important part of your supplier management program.  It addresses an important area of you Information Security Management System and  strengthens the relationship with your key suppliers.