ISO 27001 – Information Security Management System Standard

ISO 27001:2005 is a standard for information security, one that is being rapidly adopted and mandated by US Federal agencies and companies who are requiring their suppliers to properly secure important data, software and records.

Companies that process personal consumer information, financial data, subscription information, classified data or designs, or those that develop software, will find ISO 27001 implementation an indispensable tool for ensuring proper control and secure maintenance of the information.

Formerly published as ISO 17799, the latest ISO 27001:2005 standard presents requirements for an “Information Security Management System” (ISMS), and is written to be auditable by accredited third party certification bodies, in the same way as ISO 9001. Companies that adopt and implement the requirements of ISO 27001 help prove to the world that their management system can adequately secure important customer data, during use, development or transfer.

Oxebridge offers an ISO 27001 Implementation Program which helps companies understand and implement the requirements of the standard, readying them for third-party certification should they choose to pursue it. The program follows the four-phase approach of other Oxebridge implementation programs, and results in a fully customized system that does not utilize boilerplate documentation or cut-and-paste systems.

The typical phased implementation program follows this structure:

  • Phase 1 – Information Capture. Oxebridge presents a management overview of the ISO 27001 standard, and then begins interviewing staff to ascertain the current practices of the company, determining assets subject to security management, and conducting a preliminary determination of control objectives and possible related controls.
  • Phase 2 – Documentation Preparation. Oxebridge Specialists prepare an ISMS manual and supporting procedures, forms and other necessary documents based on the results of the Phase 1 interviews. Resulting documentation is fully customized, based on the company’s current practices, and only introduces new or modified practices where the company either does not meet a requirement at all, or where current practice deviates from a requirement.
  • Phase 3 – Implementation and Training. Oxebridge Specialists assist the client in implementing the resulting systems, perform risk assessments, train employees and internal auditors, assist in the first round of ISO 27001 internal audits and facilitate an ISMS management review, including a review of the control objectives. At the end of Phase 3, the client is ready for third party certification auditing.
  • Phase 4 – Audit Interfacing. For those clients wishing to be certified by a third party Certification Body (“registrar”), Oxebridge will attend the audit and provide on-site assistance and facilitation of the audit, ensuring a smooth and effective audit by the registrar.

Oxebridge works with your company’s selected registrar, and has no formal relationship with any such certification body, to maintain a process that is free of any conflicts of interest.

A typical ISO 27001 Implementation Program takes about three to five months, and is therefore not a “Rapid” program; however Oxebridge’s implementation services may be eligible for grant reimbursement.

For more information on Oxebridge’s ISO 27001 Implementation Program, or to request a quote, contact us today.