 |
All companies are exposed to risks. Some of those risks are that the information vital to the company’s interests can be under threat. |
Your company has vital information, such as its customer lists, orders and product design information. Your company cannot operate if this information is lost or corrupted. The information can be held on computer files or on paper files. It doesn’t matter how it is stored, its safety is paramount.
Do you have satisfactory physical protection? Can your business recover from a disaster?
Your customers are thinking about buying from you electronically – over the Internet or by EDI links. They need to be reassured that their data will be safe in your hands. They are worried about their company or personal details, their credit scoring status, and so on. If they don’t have confidence, they won’t trade with you.
You need to have disciplines in place about security, about safe computer operation, about fail-safe procedures. You need to be aware that most fraud is likely to be committed by your own staff and management, and you must have appropriate personnel policies to reduce the risk.
In short, you have to implement an Information Security Management System.
What do you have to do?
Following the Standard and Code of Practice, you have to conduct a Risk Analysis in your company. This is a formal process, and you will need to consider the special risks that affect your company, and weigh them up.
Now you decide on the precautions, actions and procedures to minimize these risks. Remember that they are your risks, not anyone else’s risks. So the actions you take are necessary for your business.
You will need to audit your processes to see if they are effective. Companies that already have an ISO 9000 Quality Management System will find this straightforward to do.
You now want to be sure that everything is satisfactory, so you ask Bureau Veritas Certification to perform an independent third party Audit of your Information Security Management System
What Bureau Veritas Certification do...
Bureau Veritas Certification review your application form and prepare an estimate based on the amount of auditing that will be required. If you are happy, Bureau Veritas Certification agree a contract with you, and fix some dates.
Step 1: Bureau Veritas Certification review your documented Information Security Management System, and provide you with a report identifying your system’s compliance with ISO27001, and highlighting any deficiencies. The review may be done at your place or ours. You fix any problems.
Step 2: Bureau Veritas Certification conduct the audit (described later), and provide you with a Technical Report on our findings. The audit it typically 4-6 weeks after the Document Review (Step 1).
Step 3: You fix the problems (non-conformances) Bureau Veritas Certification find. This must be done within 90 days, or Step 2 must be repeated.
Step 4: If Bureau Veritas Certification are satisfied, a Certificate is issued, to demonstrate that you are operating an Information Security Management system that meets the standards.
Step 5: Bureau Veritas Certification conduct regular Surveillance Audit Visits, every six or twelve months, depending on the size and complexity of your company. For each Surveillance Audit Bureau Veritas Certification will provide you with a Technical Report.
What is the value to you?
 You have confidence that your Information Security Management System is sound and effective
There is public acknowledgement that your Information Security Management System has been audited by one of the most experienced Certification companies in the world
Your potential Business Partners, Customers and Suppliers have increased confidence in you
You may advertise that you have gained this valuable certificate
What happens on an Audit?
If you have been through an ISO 9000 or ISO 14000 Audit, you will have no surprises.
Before the Audit we will have agreed a detailed schedule with you
We begin with a Meeting with the management to confirm the scope of the Audit and to resolve any last-minute issues
We interview a selection of managers and staff on their roles and responsibilities
We look at records and reports to see whether everyone is following your system
We check the arrangements for physical and logical security
We finish the Audit with a Closing Meeting with your management where we summarise our findings, and announce the result of the Audit
|
