We have become increasingly dependent on information technology to run our organisations. At the same time, this technology is being abused to perform illegal or malicious activities, such as stealing credit card numbers and intellectual property, illegally transmitting trade secrets and disrupting vital communications.

Increasingly, security breaches and hacking attempts are targeted towards specific organisations to steal valuable information such as business contracts, customer lists, industrial secrets and financial data leading to a loss of business, identity theft and data breaches.

Ultimately, the greatest damage will be to the organisation’s reputation due to customers losing faith in its ability to protect their personal data.

As security threats grow within the environment we live in, it is becoming ever more vital for an organisation to have an effective information security management system (ISMS) in place which includes appropriate controls to help reduce or eliminate security risks.

Why Information Security?

NEVER STOP IMPROVING

INFORMATION SECURITY BEST PRACTICE GUIDE

“Attacks against smallbusinesses increased by 10% in the past year, costing up to 6% of their turnover.”Source : The 2013 Information Security Breaches Survey

The best practice elements below should be considered in order to successfully implement an Information Security Management System.Senior management commitmentIt is vital senior management understand and fully support the information security policies and procedures within their organisation. They should be ambassadors who continually demonstrate the importance of information security to the entire organisation. Only by having full support from senior management can all employees understand their part in the management system and its continual improvement.

Determine risk and vulnerabilitiesThe organisation should conduct a risk assessment to determine what data is critically important to the needs of the business, this is vital in order to combat risks to your organisation’s assets. You will need to identify the assets, consider the threats that could compromise these assets, and estimate the damage that the realisation of any of these threats could pose.

Policies and proceduresOrganisations should develop their policies and procedures based on the vulnerabilities and threats identified. By recognising the processes within your organisation, you can select and implement the controls needed to manage these vulnerabilities. When placing controls on the system consideration should be taken to ensure these controls do not become a hindrance to the very processes the business depends upon.

Information security awarenessIt is vital that information security awareness starts at an executive level and proceeds to be engrained throughout the whole organisation. Security policies should be consistent with the organisation’s culture and therefore should be rooted deep into its ethos.

A key task for an organisation is to ensure that their employees understand the importance of information security and how they play a part in applying it to their daily working life. Ideally training should be conducted by a knowledgeable trainer who can address social engineering as well as internet and email best practice.

Continual ImprovementTop management should review the ISMS at planned intervals. The review should include opportunities for improving the information management system, including the security policy and security objectives with specific attention to previous corrective or preventative actions and their effectiveness.

Ultimately, continual monitoring of the management system and the visibility it provides enables top-level management and key stakeholders to improve governance through on-going evaluation of critical control factors.

“In 2012,identity fraud incidents increased by more than one million victims (the highest amount since 2009).”Source: Javelin Strategy & Research

The weapon of choiceISO 27001 has become synonymous within information security. This standard is now the fastest growing management system two years in a row and has been implemented by over 19,000 organisations. The standard can be integrated across all business sectors, regardless of the size and nature of business.

As we continue towards a highly technical dependent environment the need to ever more secure information is apparent. Therefore ISO 27001 is proving to become the weapon of choice.

What are the benefits of certification?An organisation can gain a more competitive edge, increase stakeholder confidence, profitability and ensure legal compliance by obtaining certification to ISO 27001, the international standard for information security management systems.

Certification to ISO 27001 should be sought from a UKAS (United Kingdom Accreditation Service) accredited certification body.

Accreditation is the formal recognition from UKAS to the organisational competence of a conformity assessment body to carry out a specific service in accordance to the standards and technical regulations as described in their scope of accreditation.

NQA are UKAS accredited to certify an organisation to ISO 27001. Certification is the procedure by which a third party, such as NQA gives written assurance that a product, process or a system conforms to specified requirements.

By gaining certification through NQA, your organisation can demonstrate with credibility how the security of your information has been addressed, implemented, properly controlled and independently audited by a third party organisation.This will prove your organisation’s commitment to information security, and will increase the confidence of your customers, trading partners and all stakeholders involved.

NQA can help you

NQA is a global leading assessment, verification and certification body and works in partnership with a wide range of businesses, government departments and charitable organisations to help improve management performance.

NQA has certified organisations to ISO 27001 (Information Security) in a diverse range of sectors including SmartWater Technology, Barcode Warehouse and The European Space Agency.

•Customersatisfaction by giving confidence that their personal information is protected and confidentiality upheld

•Businesscontinuity through management of risk, legal compliance and vigilance of future security issues and concerns

•Legalcompliance by understanding how statutory and regulatory requirements impact the organization and its customers

•Improvedriskmanagement through a systematic framework for ensuring customer records, financial information and intellectual property are protected from loss, theft and damage

•Provenbusinesscredentials through independent verification against recognized standards

•Abilitytowinmorebusiness particularly where procurement specifications require certification as a condition to supply

“ISO 27001 certification iswidely recognized and we regard the Standard as a commercial necessity.”Senior Systems Manager, Smart Water

“We want our customers to have confidence in us. By seeking certification to ISO 27001 they can rest assured we’ve reached demanding high international standards that enable us to protect their information assets.”Managing Director, Capito

Let’stalk.Pleasegiveusacalloremailustoday.NQA, Warwick House, Houghton Hall Park, Houghton Regis, Dunstable, Bedfordshire LU5 5ZX, United Kingdom

08000 522424 info@nqa.com www.nqa.com/isms