Information Security Management Systems

ISO 27001

Information Security Management Systems

ISO 27001 helps organisations to develop an effective Information Security Management System (ISMS) to effectively manage security assets and keep them secure.


A well run ISMSneeds effective policies and procedures in order to protect your organisation, your customers and your suppliers. It includes all the risk controls (legal, physical and technical) necessary for robust information security management.

Implementing an ISO 27001ISMS in a business, of any size, operating in any area of commerce should ensure it protects all forms of data. It helps you protect client confidentiality and manage the availability of sensitive information. Certification demonstrates that your business has the IT security management systems and controls in place to combat cyber-attacks and other threats to data integrity.

All recently updated versions of ISO standards, including ISO 27001 have a common structure of 10 sections enabling any business, working to an ISO standard anywhere in the world, to show evidence of:

1-3 – The Scope of your ISMS including normative references, terms & definitions

4 – Understanding the context of your organisation including recognising the needs and expectations of interested parties

5 – Leadership and worker participation

6 – Planning of business activities including addressing risks and opportunities and setting objectives that are S.M.A.R.T. (specific, measureable, achievable, realistic and time-based) that have relevance at all levels of the business meaning each employee understands how their job supports meeting Information Security Objectives

7 – Providing support to enable those activities

8 – Operating your business to achieve the ISMS

9 – Evaluating performance through feedback, internal auditing and management review

10 – Improvement!

Businesses should adopt a “Plan, Do, Check, Act” process approach that can be explained as:

Plan – Your information security policies, procedures, work instructions etc.

Do – The actual work you do

Check – How do you monitor, measure, obtain feedback and assess objectives?

Act – Management review activities assess performance and act to improve

This “PDCA” cycle leads to continual improvement and can be summarised as follows:

Why have it?

Holding the ISO 27001 standard ensures organisations are working in an effective way to establish, implement, maintain and continually improve an information security management system. It is now one of the most popular ways, all around the world, to demonstrate this.

Many organisations, including large Government departments and many larger commercial organisations with whom you might wish to consider working, make holding ISO 27001 a requirement in their tendering process. Implementing ISO 27001 policies will enable you to demonstrate to customers and stakeholders that your business is committed to maintaining data in a secure fashion.

To implement ISO 27001 successfully, your organisation should:

  • Get top management to commit to and support introduction of an ISMS
  • Define the scope of the ISMS within the framework of your own business
  • Set an ISMS policy
  • Conduct a “Gap-Analysis” where you acquire a copy of the standard and study every section and detail and identify areas where there is work to be done to comply with the standard taking particular regard to the requirements of Annex A
  • Complete required risk assessments and manage identified risks
  • Select control objectives and controls to implement
  • Create an action plan involving a logical sequence of activities including setting timescales for completion, responsibilities within your organisation and identifying resources needed – summarised as “What, When, Who and How”
  • Involve everyone working in the business with effective internal communication
  • Preparing a statement of applicability
  • Regularly review your ISO 27001 system to ensure continuous improvement

You would normally then run with the ISMS for a period and carry out a full formal internal audit to check everything is in place and the system is working effectively within your business.

Once you feel you are ready for assessment you can call QSS in to conduct your initial assessment audit. We will spend, depending on the complexity of your business, at least the best part of one day auditing the ISMS against the standard and your documented procedures. This may or may not reveal nonconformities that will have to be addressed and corrected (as applicable) before you are deemed as compliant. Once you are deemed as being compliant QSS will issue a certificate providing third-party confirmation that you meet the requirements of ISO 27001. After initial certification, QSS would re-audit you annually to confirm you continue to meet the requirements of the standard.

For a more detailed summary of the contents and requirements of ISO 27001, you may find this website helpful:



As mentioned above you need to first purchase a copy of the standard and then budget costs for implementing and running the ISMS prior to initial assessment. You may wish to do this yourselves or you may engage an appropriately qualified and experienced independent consultant who can quote to assist you through the preparation process.

QSS can then, on request, complete your initial assessment and set up an annual surveillance cycle.

Please contact us for costs.

Call +44 (0)1923 699840,
email, or
Contact us for more information Apply online today

© Quality Service Standards Ltd. Registered in England & Wales, Company No. 03804633. Registered Address: Tangent House, 62 Exchange Road, Watford, Herts WD18 0TG.