FAQ:ISO27001

From Hornbill
Revision as of 12:27, 5 January 2016 by Keiths (talk | contribs) (→‎America =)
Jump to navigation Jump to search

What is IS07001

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. Being IS0 27001 accredited means that we have proven to an external body that we comply with all regulations and requirements, therefore ensuring that security (both information and physical)/risk management and other best practices are ingrained in everything we do through the processes we follow.

Who is Responsible for Compliance

Ultimately, the CEO (As all processes must be approved and Supported from the board of directors), however all members of the cloud team are committed to maintaining our certification and take active roles in designing\implementing processes and controls. Other aspects of the business also play a vital role from HR to Development ensuring all processes are followed and information security\risk assessment is incorporated into every action performed.

How Often are we Audited

We are audited every 12 months and inorder to stay certified we must not only show the documented processes but also how these are implemented in the business and show that all those effected by the process understand its requirements and adhere to its contents. We must also show that, where necessary checks and controls are in place to ensure that the process can not be circumvented.

What Processes are covered under ISO

The list is below, however may processes are expanded to include additions not necessarily covered by ISO27001 but that are either deemed important or best practice.

  • Risk Management
  • Information Security
  • Management Systems
  • Mobile Security
  • HR Security
  • Asset Management
  • Information Classification & Handling
  • Access Control
  • Network Policy
  • Cryptography Controls and Usage
  • Physical and Environment Security
  • Operations
  • Communications
  • Supplier Relationships and Procurement
  • Incident Reporting\Handling and Management
  • Change Reporting\Handling\Planning and Management
  • Business Continuity and Disaster Recovery


Not Necessarily ISO

Laws, Statutory requirements and Compliance

This depends on the geographical location of the data center in which your instance is hosted

Europe

  • Data Protection Act 1998
  • Copyright, Designs and Patents Act 1988
  • Computer Misuse Act 1990

America

Australia

Retrieved from "https://wiki.hornbill.com/index.php?title=FAQ:ISO27001&oldid=7306"