If you’re serious about selling services to major organisations then you need to have ISO27001.
Achieving ISO27001:2013 requires a rigorous and dedicated approach to your information security management systems (ISMS). Of course, you may already have sturdy processes in place but once you obtain ISO27001, bidding for new contracts with the government or with major companies becomes much easier.
Gary Jowett, from Computer & Network Consultants in Brighton, explains: “Before we achieved ISO27001: 2013 we always had to write a lengthy description of all our processes on customers’ supplier forms. Now all we need to do is insert the certificate code on their forms. Achieving certification was, in fact, just a rubber stamp for our existing processes. It was worth all the hard work, however, because it’s an essential prerequisite for most major organisations. As more services are outsourced by local and national government and by large companies, every business, whatever its size, will need to have ISO27001 to bid for new contracts.”
Is your IT consultant certificated?
To help you prepare for certification, it’s a good idea to get advice from an independent IT consultant who already has ISO27001:2013. The consultant will provide helpful guidance about what to have in place before applying to be assessed.
Obtaining the standard is also good for your business processes in the long term because it compels you to maintain the high standards it sets. It also prepares your business for the new European Union General Data Protection Regulation (GDPR). This is effectively a law, not a directive, because it will be implemented in all 28 member countries.
Another good reason for having ISO27001 is adherence to the same high standards set by leading cloud services providers. You can demonstrate that your approach to ISMS won’t be the weak link in the chain which is reassuring for customers who agree to have their data stored in the cloud.
Seek advice to get prepared
Should you need help preparing for certification it is advisable to speak to an IT consultant because there’s a lot to consider. You need to have an established information security policy and the roles and responsibilities for managing it must be clearly defined. You’ll also need to show that you carry out regular information security risk assessments which are well documented whilst your company’s ISMS objectives and targets need to be measurable, well-documented and properly communicated.
In addition, you will have to carry out regular internal audits to check your ISMS is still effective and conforms with ISO27001: 2013.
If it isn’t up to standard, you will lose the certification which is a black mark you don’t want to have when procurers come along checking the quality of your business.