Tel: 01782 660650 | Mobile: 0781 208 5530 | Email:

Content on this page requires a newer version of Adobe Flash Player.

Get Adobe Flash player



This is one of the more important standards to appear in recent years. Every organisation has the absolute need to securely manage their information either in hard copy or electronic format. ISO 27001 describes good practice for any organisation wishing to improve their information management and security. We’ve all heard the stories of people leaving laptops or memory sticks containing top secret on the train! Obviously, it’s not quite like that for most organisations, but generally there is always confidential, sensitive and valuable information to be considered form a commercial and legal point of view, including: computer/network back-up, personnel records, client contact lists, key supplier contacts, accounts, email, website, confidential meeting minutes, recipes, ‘inside knowledge’, customer data, design data etc.

The standard includes the following requirements:

Asset Register

This is a register of all information assets (either information or media/items holding information, e.g. computers, servers, laptops, memory sticks, back-ups, filing cabinets, files etc.) and the ‘owner’ of each item of information. There is a requirement to identify threats to the information (e.g. theft, fire, deletion, disclosure etc.) and vulnerabilities (weak or no defences); this is usually done via a simple risk assessment technique and must consider the fundamental principles of information security: CIA


Recognise and identify the level of confidentiality of each item of information, and implement policy and procedure to support this. Information must be readily accessible by those with appropriate authority, and protected from access by those without authority. Information must be maintained in the correct intended state, and protected from unauthorised change or deletion.


Statement of Applicability

ISO 27001 includes ‘Annex A’ which compels the organisation to consider over 130 specific clauses, and determine controls required if applicable. There is a multitude of subjects such as: Confidentiality Agreements, Terms & Conditions of Employment, Termination Responsibilities, Anti-Virus Software, Information Back-Up, Electronic Transactions, Password Management etc.

Risk Treatment Plan

When unacceptable risk to information is identified against any of the CIA requirements, a suitable plan must be developed to address this.

Business Continuity

You can imagine the risk to businesses continuing their normal daily work should there be a catastrophic loss of data or other or malicious event! The standard requires that this is considered in accordance with BS 25999, and Incident & Recovery Plans developed where necessary. For example, if all your servers and computer equipment were stolen overnight or where destroyed by fire or flooded what would be the chain of events in the short and longer term? Ok, you may have that data back-up, but who organises replacement equipment and premises? Who do you ring? Who is authorised to spend money? What specifications are required? Who organises things? All the answers should be in your Incident Response Plan! We currently have clients approved or working towards ISO 27001 and if you would like to know more please contact by using the quick contact form for a no obligation discussion/site visit. Looking forward to hearing from you. Rob Gill (Senior Consultant)