Context has now successfully completed the ISO/IEC27001:2005 certification process, having been assessed by BSI and found to be compliant with the internationally recognized standard for Information Technology and Information Security Management. We selected BSI as they are a UKAS (United Kingdom Accreditation Service) accredited certification body. We felt that achieving certification through such a body provided the best way to benchmark ourselves for position and progress amongst our peers in the industry. Context is currently one of the very few companies operating in the Information Security arena to have adopted, and been successfully certified in, ISO/IEC 27001:2005.
For a while Context has been seeking a way to measure ourselves against industry best practice. As a provider of information security consultancy, we felt it was important to find a demonstrable way to assure ourselves and our clients that a) we do all we can to safeguard our sensitive data and, in doing so, our clients’ confidentiality, and b) we practice what we preach.
The ISO/IEC 27001:2005 standard was a perfect fit into our own holistic approach to security as an organization, both in the services we offer and the way we operate internally. As a standard it is all encompassing, covering the documentation and implementation of not only technical, but physical and personnel security domains too. Additionally, proper application of the standard (and therefore achievement of certification) is reliant on buy-in at all levels of the organization including a total commitment from senior management to continual improvement in all the areas the standard covers.
Although the appearance of ‘Information Technology’ in the standard’s title gives the impression that it may be little more than a checklist of technical security controls a company is stipulated to abide by, this is actually a bit of a misnomer - the standard prescribes an Information Security Management System (ISMS), which is far from being rigid and inflexible. Instead, Context has found that the standard provides us with a highly pragmatic framework within which we can manage the existing security controls that, as a security-minded company, we have in place already.
As a security consultancy ourselves we have always considered the security of our data as paramount, but through adopting the ISO/IEC 27001:2005 standard we now have the mechanism to continually monitor, review and improve what we do across the entire business. Context chose to certify the entire organization, from top to bottom, for the provision of all services and across all geographical locations, as an indication of our continuing commitment to standardizing best practice.
Context also appreciates the way that the standard adapts to fit your organization, providing a management framework foundation that will continue to evolve with the business. This framework puts in place the mechanism to allow the review and selection of only those security controls that are relevant and beneficial to your operational processes. In fact, there’s no let up as the process doesn’t stop at certification. We are continually assessed by both BSI and several of our larger client organizations to ensure that we continue to efficiently implement our own ISMS framework and improve our security posture where possible. To further enable this continuous improvement we have established an internal team of qualified ISMS Lead Auditors, dedicated to monitoring what we do and keeping the whole business focused on security.
In certifying Context to ISO/IEC 27001:2005 we have achieved a greater understanding of our business risks and an increased assurance that we are doing everything that we can to protect ourselves against them. We hope that in going through this due diligence, we have demonstrated to our clients through our compliance with the international standard, our commitment to a holistic information security approach and thus to protecting their interests.
We found the whole experience a thoroughly positive one and can offer the benefit of our experience and our qualified team of consultants to help in any way to guide your organization or business unit through to certification too.