ISO 27001

What is ISO27001?
ISO27001 is the worlds most recognised standard for Information Security, and is related to the security of all forms of information, including all forms of data, documents, communications, conversations, messages, recordings, and photographs. It includes everything from digital data and email to faxes and telephone conversations.

It should not be confused with ISO20001, which is the standard for Information Technology Systems Management Systems (ITSMS).


Plan-Do-Check-Act Model
The Plan-Do-Check-Act cycle is a cycle common to most British or International standards and is the basis of all sound management initiatives.

The concept is simple to operate and run.

PLAN – All aspects of a business should operate to a plan, and I mean a real plan, not the one commonly given to the bank manager that states what he wants to see, but with little bearing on reality. I mean an operational plan. A plan of action. Within the "overall" plan should be departmental or divisional plan – i.e. one for sales, one for purchasing, one for all areas of your product or service. Also there should be a plan for resources – both human and material.

You are planning for establish do I have enough, too much, is it suitable, is there better out there? You may be planning for growth, expansion, acquisition, disposal, survival or to stay the same. It doesn't matter unless it matters to you. After all – it is your plan.

DO – Once the plan is in place. Do it. Execute the plan. Follow it. Better it. This part of the cycle more than any must be within a defined timescale, which should have been set within the planning phase. At the end of the timescale it is time to review.

CHECK – Checking the results of the DO in relation to the PLAN. How did we do – did we exceed the expectations of the plan, or did we not? During the cycle did anything change, such as a change or economics, robbery, developments by competitors etc? Have any other factors changed, such as the loss of a member of key personnel, illness or worse? But the vital thing is to check the results against the plan and mitigate (up and down) in light of changes.

ACT – Finally, within this cycle decisions have to be made to ACT on the results. A natural conclusion is that this will lead to fresh inputs to the new PLAN.

The chosen cycle is up to you. Often they will be annual, 6 monthly or quarterly. Sometimes they are project or campaign dependant.


What are the benefits of having ISO27001
Most companies opt to achieve certification for the following key business reasons:

• improvements in organisations efficiency and effectiveness
• enhanced customer confidence
• reducing the likelihood of information misuse and fraud
• competitive advantage over rivals
• requirement within 'invitations to tender'
• requirements within 'supply chains'
• requirement for 'public sector' work
• Meeting legal requirements

It is the opinion of Eaglet UK that ISO 27001 will have the same impact for private sector suppliers as ISO 9001 had for public sector suppliers in the 1980’s and 1990s. Forward looking modern organisations realise that the greatest potential threat to their future success will be their failure to guard the information and assets owned by their company. Information loss and asset depletion will come from their inability to control what leaves the organisation due to the activities of staff, sub-contractors and suppliers as well as competitors.


How do I get ISO27001
We understand that very few organisation want ISO27001. You are doing it for one of the benefits above – normally because you are losing out on work because you don't have it or that a potential / current customer has told you to get it. So we make the process of getting it as easy and as simple as possible.

Getting ISO27001 and keeping it is a three stage process.

The first stage in getting the company compliant and to achieve this we have several options for you all of which we offer GUARANTEED certification – we know we are the first organisation (1st July 2007) that contractually guarantee you will pass your certification. Ask us for details of this guarantee.

Our options are tailored to allow you to balance the right levels of time and financial investment. That is some options we do more of the work and levy a larger fee, meaning your time is kept to a minimum and other options are more time intensive and cost effective. The choice is yours as follows:


Consultancy
At Eaglet we firmly believe that all management systems should be a case of the "dog wagging its tail" not the "tail wagging the dog". Out first offering is for us to do all the work for you, but write a system that is YOURS. Whilst we start with basic templates (and who doesn't) that cover all the mandatory requirements of the standard and our interpretation of best practice following first-hand practical implementation experience since July 1997. Adding to the basics we then conduct an in-depth consultancy exercise to identify, assess help reduce and information security risks in operating your business. This usually involves us interviewing all the departmental heads to get a firm and clear understanding of what you do, how you do it, and on what bits of paper / software packages you do it on.

From there we write up YOUR system and only add to it where it is essential that we do so. i.e. We add to the system where an omission would lead to a problem in gaining certification.

Once the system is in place, we leave you for a small period of time to allow you to operate it and then conduct some internal audits, conduct a full review and prepare you for assessment.

Time investment is kept to a minimum as we do the vast majority of the work to allow you to keep doing what you do best – operating the business.

Call 08707 511007 or email wayne@eagletuk.co.uk NOW to ask for a quote. Fees will depend on the complexity of your business, the number of sites you operate from and their geographical location(s), but typically will start from £4950.00 + VAT


Coaching
Coaching is a similar process to consultancy in that we start with the basic templates but this time teach and coach you to write your own system. This is our favoured approach because it ensures your understanding in the process. Pure consultancy often leads on to us managing the system for you, which is great for both of us, as long as it is right for you, but with our coaching option you learn the nuances of ISO27001 along the way, which allows you to run your system post certification more effectively.

Time investment is increased as you are learning ISO27001 as we help you implement the system(s), however your Financial investment is less.

Call 08707 511007 or email wayne@eagletuk.co.uk NOW to ask for a quote. Fees will depend on the complexity of your business, the number of sites you operate from and their geographical location(s), but typically will start from £2950.00 + VAT


Workshops
Our workshop options are basically group coaching sessions. You get all the input of a coaching contract, but this time at a central location and share our expertise with other delegates. This often leads to highly valuable input from other organisation as ideas, experiences and learning are shared.

The workshops are scheduled one a month for 7 months. The first 6 sessions are classroom based with the 7th session an non UKAS assessment on your site.

The financial investment is the lowest here, and results are still the same as we offer 1 to 1 support during and between sessions to ensure that you will still gain your GUARANTEED certification at the end of the process.

Fees for workshops are £1400.00 + VAT including the non-UKAS assessment costs.

For in depth details of our workshops please click here


Assessment
Once you have a system in place, phase two is to get it assessed, and Eaglet can support you in this. Indeed it is at this stage that our Guarantee is applicable. At assessment you have two choices, and that is to go down the UKAS or non-UKAS route.


Why use a UKAS Approved Certification Body?
UKAS are the United Kingdom Accreditation Service, and are the body behind "official" certifications.

Usually the reason for getting something independently evaluated is to confirm it meets specific requirements in order to reduce risks. Obvious examples are product failure, health risks, company reputation or to meet legal or customer requirements. Anything or anyone can be evaluated - products, equipment, people, management systems or organisations.

Accreditation by UKAS means that evaluators i.e. testing and calibration laboratories, certification and inspection bodies have been assessed against internationally recognised standards to demonstrate their competence, impartiality and performance capability.

It is the ability to distinguish between a proven, competent evaluator that ensures that the selection of a laboratory, certification or inspection body is an informed choice and not a gamble. UKAS accreditation means the evaluator can show to its customer that it has been successful at meeting the requirements of international accreditation standards.

This means that the customer reduces the risk of selecting an incompetent evaluator and paying for, or more seriously, acting upon invalid results.

Fees for UKAS assessments vary depending on the organisation you choose. We can guide you in this choice.


Why use BSI for certification?
BSI Group are a group of companies, one of which is BSI Management systems. Other divisions in the group are BSI British Standards, the national Standards Body of the UK, BSI Product Services, who test a huge variety of industrial and consumer products such as construction, fire safety, electrical, electronic & engineering products and medical devices.

BSI Management Systems are one of the leading brands for ISO certification and are recognised as the oldest and biggest in the UK. BSI currently boasts over 6000 certifications.


Why use other certification Bodies?
When a company gets certified, they are certified to an "ISO" (International Organisations for Standards – the acronym is French), "EN" (European Number) or "BS" (British Standard) standard, not to the criteria of the independent certification body.

No certification body writes or "owns" the standards, they all subscribe to the same ones so there is no hierarchy of certification bodies, just personal choice. All UKAS certification bodies (there are over 150 in the UK) can all offer the same level of certification.

Globally there are over 770,000 certifications, which means that BSI only certificate less than 1% of the global market.


Why use a non-UKAS Approved Certification Body?
A non-UKAS registered body are, in essence, self certificated. There is no guarantee of the level of service, the review process, an appeal service or any redress in case of false, erroneous or negligent assessment decisions. Bad non-UKAS bodies are regarded as the "cowboy" element in ISO certification.

For discerning buyers, certification by a non-UKAS certification body is regarded as "not worth the paper it is written on" and has no credibility.

However the advantage of using a non-UKAS certification body is that the fees for certification are usually lower and if your customer is not genuinely aware of what UKAS means, they are none the wiser.

A reputable non UKAS certification body will give a robust assessment of a company and will work to the standards demanded in ISO17021 - (Conformity assessment - Requirements for bodies providing audit and certification of management systems). A reputable non UKAS certification body are as good as a UKAS one, cheaper and often less "officious"


Why use ECAS?
ECAS (Eaglet Certification and Assessment Service) are the sister company of Eaglet UK. They are one of the reputable non-UKAS certification bodies in that all our auditors are IRCA (International Register of Certified Auditors) registered and are qualified & certificated lead auditors in the standard of your choice.

We work to the explicit requirements of ISO17021 - (Conformity assessment - Requirements for bodies providing audit and certification of management systems).


How do I keep ISO27001
Phase three of ISO27001 implementation is retaining certification once you have achieved it. You can either do this internally, and we will train you whether we are consulting, coaching or running workshops. Alternatively you may choose to give it back to us for us to conduct on your behalf. Either way what we need to do is:


Systems Management

1. Conduct a full suite of internal audits "at regular intervals"
2. Conduct a management review at least once per annum
3. Manage all errors
4. Manage fixes to all errors
5. Manage preventive fixes to potential errors
6. Update the system in line with organisational changes
7. Set, measure, analyse and update key performance indicators.
8. Control all hazards & risks relating to the organisation
9. Control all legislation relating to the organisation
10. Prove compliance to all legislation
11. Manage all significant information security considerations aiming to reduce the risks
12. Manage and test any potential emergency situations
13. Manage any information security incidents

Call 08707 511007 or email wayne@eagletuk.co.uk NOW to ask how we can help you gain this essential accolade for your business.