ISO 27001 – Let QCS Help You

iso 9001

"QCS have, for several years, provided us with the support we needed to ensure our quality systems remain effective and in conformance with ISO9001. We look forward to continuing the working relationship."

Andrew Duncan Director of Vessels CMAL

Make the most of ISO 27001 certification

ISO 27001 training with our experts will help your organisation to keep information assets secure.

Not sure which ISO 27001 training is right for you? We can provide you with the very best training on the standard as well as offer consultancy services to make your journey to recognition as easy and rewarding as possible.

Our training courses include:

Information about our ISO 27001 consultancy support can be found here >

Need some help?

Email us here or speak to one of our experts today by calling:

01236 734447

management training

What is ISO 27001?

Information security management, simply defined, is the processes an organisation has in place to identify and protect data and other information that requires secure storage and safeguarding.  ISO 27001 is the international standard for information security and sets out requirements that the organisation must fulfil to then be recognised – or certified - to the ISO standard.

Why? Your clients and customers seek ISO 27001 certified suppliers and contractors for several reasons. Primarily they are looking for an assurance (that ISO 27001 gives them) that their data will be handled securely, in accordance with the law and only used for the purposes it is designed for. They may also have ISO 27001 themselves and have chosen to filter down the supply chain an expectation that others work to a similar high standard.  Having ISO 27001 is sometimes a pre-requisite to be on a short list for tenders or proposals – without it you will not even get over the first hurdle.

iso 9001

"MCDowell Machine Tool Solutions was looking for support to develop and implement an effective management system to meet the requirements of ISO9001 and ISO14001. QCS International consultants were quick to establish what our specific requirements were and to introduce systems that were useful, relevant and that fitted in to our business. They have now become a part of our team to maintain and audit our management system."

Susan McBain, McDowell Machine Tool Solutions

iso 9001

"With QCS helping us we have really benefitted from having a quality management system. With QCS it is never a paper exercise – the systems have allowed us to grow, improve how we do things and see increased satisfaction amongst our customers. The support from someone looking in also means we get a fresh pair of eyes that highlights improvements and a new perspective. We hope the working relationship we have continues….."

Frances Maiden, Director, Harry Maiden Ltd

FAQ

The standard stipulates several requirements that require fulfilment.  These vary, but most organisations will already be fulfilling some of these to a greater or lesser extent.  For example, you must have in place mechanisms for maintaining the physical security of the equipment that stores data, record keeping on data destruction and controls that allow you to process and analyse data securely and in accordance with your contractual obligations.

There are some requirements that organisations will find more awkward to achieve if they are unfamiliar with the international standard; QCS can help you with these and train your staff to be able to take your certification forward.

Gaining certification is so much more than a badge.  It requires you to self-examine and to commit to improvement in your organisation’s processes.  It will also provide you with a framework for helping to understand the key risks you face and to develop strategies to mange and take advantage of them.

The first stage will be to review your current arrangements against the clauses of the standard – this will highlight what gaps you have and what you might have to do to gain certification.  Some of the gaps can take several months to fill as a certification body (the organisation that awards you ISO 27001) will want to see whatever systems you have are operating and that there is evidence that they have been for some time.

QCS can complete a gap analysis for you if you wish and we can then supply you with the training and support to deliver the identified actions.

The types of things you might have to do include (not exhaustive):

  • A review of risks and opportunities and how you manage these
  • Setting and delivering key business objectives and targets
  • Introducing robust measures for the physical protection of data and information you hold
  • A mechanism for dealing with data breaches or when things go wrong
  • A system for dealing with personnel and personnel changes
  • Internal auditing
  • Meetings and review to monitor progress and decide upon next steps

QCS only works with companies that are seeking a certificate awarded by a UKAS accredited body.  The United Kingdom Accreditation Service (UKAS) is the only body in this country that authorises organisations to award fully recognised certification to ISO 27001.  Non-UKAS bodies exist but some organisations shall not recognise their certificate (be careful who you get your certificate from and for how long you are tied in to a contract).  If you are unsure what is best for you, then do get in touch.

When you are ready, you invite a certification body to undertake a stage one and stage two audit of your organisation.  Stage one reviews the design, structure and elements of the quality management system and stage two seeks evidence that it is working effectively.  There can be up to several months between the stage one and two audits (but it can be a few weeks if everything has been set up successfully).

If all is satisfactory after stage two you will be awarded certification.  Certificates from UKAS accredited bodies are valid for three years.

Unfortunately, being awarded is not the end of the process.  ISO 27001 requires a commitment to continual improvement and maintenance of the effectiveness of your information security management system.  Your certification body will develop a programme of audits over three years (the frequency of audits depends on the size of your organisation and what risks you face).  Most small businesses simply have an annual visit.  If there are no significant findings (or if there are you are able to resolve them) then you retain your certificate.

After three years a review is held and if you have no major non-conformances (that means significant deviation from the requirements of the standard) a new three-year certificate is awarded.

TOP