All forms of information are assets, and like all other important business assets, it is essential that they are fully protected. When it comes to information about our clients, their systems and customers, clearly this need is even more imperative.
As businesses increasingly become connected to the outside world via the internet and advanced telecoms, our information assets become exposed to a growing number of threats and vulnerabilities.
The ISO27001 standard is designed to set out appropriate security protection for our information assets. It does this firstly by compiling an asset inventory, then assessing the risks and drawing up controls in the workplace to treat those risks.
Information security is achieved by implementing a suitable set of controls, to ensure that our specific security and business objectives are met. These processes are monitored, reviewed and improved if necessary, as part of the Integrated Management System which runs alongside our ISO9001 and ISO14001 standards.
The ISO27001 framework covers:
- Information Security Policy
- Information Security Scope Document
- Organisation of Information Security
- Asset Inventory
- Risk Assessment
- Risk Treatment
- Asset Management
- Human Resources
- Physical and Environmental Security
- Access Control
- Systems Acquisitions, Development and Maintenance
- Incident Management
- Statement of Applicability
In addition, an internal auditing programme is followed, and internal audits are carried out by Gary Walmsley. Management Review Meetings are held every six months, chaired by Gary Walmsley and attended by the Management Forum.