This blog provides a hands-on account of the implementation of an Information Security Management System (ISMS) based on ISO 27001 and ISO 27002. It relates the experiences of the in-house company director responsible for the implementation.
The blog is inspired by the fact that there is a lack of straightforward and concise information about ISO 27001 which most directors and executives can easily understand. In particular, there is very little written about the internal company experience.The project featured is the deployment of an Integrated Management System (IMS) incorporating an ISO 9001 Quality Management System and an ISO 14001 Environmental Management System in addition to ISO 27001.
In its earlier stages, the blog content is more general focussing on business strategy, the implementation of ISO 9001 as the basis of the management system, and on ISO 27001.
As time goes by, the blog will centre on ISO27001, analysis of its individual controls and clauses, and on information security issues.
The company director responsible for the implementation is Julian Fraser. The budget is tight and there is a need to keep the use of external consultants to a minimum.
Julian writes about the challenges he faces:
- Sourcing information and getting help
- Decoding the convoluted language of ISO 27001 and other material written about it to determine what is practically required.
- Integrating ISO 27001 with ISO 9001 Quality Management and ISO 14001 Environmental Management as an Integrated Management System (IMS)
- Applying ISO 27001 and information security in a way which is workable and beneficial to a secure data destruction businsess
- Navigating the audit and accreditation process
- Using ISO 27001 to win public sector business.
Please note that:
- Certain information about Data Eliminate’s security systems has been changed or omitted for obvious reasons.
- Some entries comprise diary and other records which were made before the date of the posting in which they are featured.
- Where appropriate, the names of individuals and organisations have been changed.