We can now officially say we are ISO 27001 certified!!

Following a very stressful week in January we have finally received our certificate for ISO27001.

The decision was made more than a year earlier to look at implementing this standard, and both the senior directors were keen to use this process not just to achieve this badge of honour, but as a real opportunity to improve our information security policies and procedures.

It has been a long process and has taken a lot of resources but our auditor was very impressed with the MY Compliance Management portal which we used to demonstrate our own compliance with the standard.

We used the following modules with great success:

• Training records - to evidence the competency of our team and the regular training undertaken.
• Legal Register - we were able to demonstrate we comply with all relevant legislation for data privacy, information security etc.
• Requirements - not just to show our compliance with the ISO 27001 standard but we built our Statement of Applicability (SOA) and policy register to easily be able to provide these on request.
• Assets - all of our data assets, physical computers and networks, and keys, included with a very clear overview of our compliance and notifications to keep us always in the know. 
• Incidents - this module is built into our IS Incident Management Plan, and allows us to track trends, root cause and learn from this for future improvements
• NCR's - we logged any minor nc's from stage 1 and were able to demonstrate the root cause and actions to close these out. Following the stage 2 we are now able to track the OFI's.
• Risks - not just to evidence the Risk Treatment plan for physical security but also for data security, which the auditor said was very comprehensive. We had a different register for our H&S and Fire safety.
• Actions - clearly able to show the top management involvement in implementing the system as well as complete action tracking for incidents, nc's and requirements.

"The MY Compliance Management Platform is seen to have contributed to the good level of Implementation of the Information Security Management System"