Cyber Security safeguard offers much more than just protection

What is most beneficial about cyber security safeguards, Well, you will not only benefit from the better protection of your own information, but you will also gain a competitive advantage by demonstrating your cyber credentials.

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

For example, certification to ISO 27001 or evidence of compliance with the PCI DSS (for merchants and service providers) is often a tender or contractual requirement because it proves that an organization has been independently audited against internationally recognized security standards.

Those that implement an information security management system (ISMS) will benefit hugely from improved processes and control of data within the organization.

Furthermore, improving and having demonstrable cyber security can also reduce your cyber security insurance. And finally, it will also dramatically reduce the chances of you experiencing a cyber attack. That’s kind of improvement.

Comments (1)

DISC InfoSec FB Page

“Like” our page on Facebook

DISC InfoSec Facebook Page

Comments (1)

How to identify risks, threats and vulnerabilities for small business

Small business owners are often lulled into a false sense of security, thinking that only major retailers, banks and healthcare companies are at risk of a data breach.

Although a malicious attack is the most commonly discussed threat to cyber security, it isn’t the only type your business should watch out for. Natural disasters, human error and internal attacks can wreak havoc with your systems and data.

vsRisk helps you meet every essential compliance requirement.

  • Includes six pre-populated control sets:
    • ISO/IEC 27001:2013 and ISO/IEC 27001:2005
    • PCI DSS v3
    • NIST SP 800-53
    • Cloud Controls Matrix
    • ISO/IEC 27032.
  • Fully compatible with ISO 27001:2013.
  • Includes integrated, searchable databases of threats, vulnerabilities and risk scenarios.
  • Produces a set of exportable, reusable and audit-ready ISO 27001-compliant reports.
  • Features a controls console that offers a quick view of the status of controls and actions planned.

Have you identified all the risks, threats and vulnerabilities that your organisation’s data and intellectual capital faces?

vsRisk Standalone - Basic

vsRisk Standalone – Basic

An information security risk assessment using vsRisk can provide a deeper understanding of your IT weaknesses and exposures.

 vsRisk has been proven to save huge amounts of time, effort and expense when tackling complex risk assessments. Fully compliant with ISO 27001:2013, this widely applicable risk assessment tool automates and delivers an information security risk assessment quickly and easily. vsRisk Standalone is intended for a single, desktop-based user.

Leave a Comment

Top 50 InfoSec Blogs


DigitalGuardian Top 50 Infosec Blogs list. Top 50 Infosec Blogs


DigitalGuardian by Verdasys offers solution in the DLP area including advanced threat protection. Seems like a worth while list.

Below are the Top 10 InfoSec Blogs from the list.

1. Wired’s Threat Level

2. Roger’s Information Security Blog

3. Dark Reading

4. Krebs on Security

5. ThreatPost

6. IT Security Guru

7. Dan Kaminsky’s Blog

8. Security Weekly

9. Kevin Townsend’s IT Security

10. BH Consulting IT Security Watch

Leave a Comment

Have you heard about the Pwn Phone 2014?



If you have to undertake vulnerability scans or penetration tests at remote sites as part of your day-to-day activities, having to lug around a laptop and other scanning and penetration testing kit can be a real pain. Having the right tools for the job is crucial.

But how can you ensure you have the right tools for the job and eliminate the need to lug around bulky equipment? The simple answer is the Pwn Phone 2014. This sleek LG Nexus 5 mobile phone doubles as a powerful penetration testing device that makes it easy to evaluate wire, wireless and Bluetooth networks.

The most portable penetration device yet, its custom Android front-end and Kali Linux backend, and comprehensive suite of one-touch penetration tools, render it the ideal choice for pen testers who are on the road or conducting a company or agency walkthrough.

Watch a demonstration of the Pwn Phone in the below video:

Go mobile with the Pwn Phone 2014.

Leave a Comment

Independent Risk Assessment

RA toolkit

The essential suite for undertaking an independent risk assessment compliant with ISO/IEC 27001; supporting ISO/IEC 27002 and conforming to ISO/IEC 27005, whilst providing guidance to multiple internal Asset Owners.

Risk assessment is the core competence of information security management. This toolkit provides essential information, guidance & tools YOU NEED to undertake an effective ISO 27001 risk assessment.

The No 2 Risk Assessment Toolkit has the added benefit of supplying five soft cover versions of Risk Assessment for Asset Owners: A Pocket Guide. This enables you to provide a copy of the pocket guide to each member of staff involved in the ISO 27001 implementation, so that they can understand the risk assessment process.


What’s included?

Information Security Risk Management for ISO 27001/ISO 17799 (eBook): provides comprehensive guidance on risk management, in line with the requirements of ISO 27001. It is essential reading for anyone undertaking an ISO 27001 risk assessment.

The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management.

This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.


vsRisk™- the Cybersecurity Risk Assessment Tool : vsRisk is a unique software tool designed to guide your organisation through the process of carrying out an information security risk assessment that will meet the requirements of ISO 27001:2005.

The contents of this toolkit provide clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives.


The Cybersecurity Risk Assessment Tool which:

  • Automates and delivers an ISO/IEC 27001-compliant risk assessment.
  • Assesses confidentiality, integrity &; availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001.
  • Supports / conforms / complies to ISO/IEC 27001, ISO/IEC 27002, BS7799-3:2006,ISO/IEC TR 13335-3:1998, NIST SP 800-30 and the UK’s Risk Assessment Standard.
  • One year of support get all software updates and unlimited telephone and email support for a year.

vsRisk™ – the Cybersecurity Risk Assessment Tool comes in two forms – Standalone or Network-enabled (single user licence). vsRisk Network-enabled (single user licence) has exactly the same functionality as the vsRisk Standalone version – but can be installed on a network.


Risk Assessment for Asset Owners: A Pocket Guide (eBook):
This Pocket Guide to the ISO27001 risk assessment is designed to assist asset owners and others who are working within an ISO27001/ISO27002 (ISO17799) framework to deliver a qualitative risk assessment.

The contents of this toolkit provide clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives.

Benefits of a risk assessment

  • Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.
  • Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses.
  • Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day.
  • Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.


Leave a Comment

When to use tools for ISO 27001/ISO 22301 and when to avoid them

ISO 27001 2013

If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.

So, you start looking for some tool to help you with these information security and business continuity standards, but beware – not every tool will help you: you might end up with a truck wheel that doesn’t fit the car you’re driving.

Types of tools

Let’s start first with what types of tools you’ll find in the market that are made specifically for ISO 27001 and ISO 22301:

a) Automation tools – these tools help you semi-automate part of your processes – e.g., performing the risk assessment, writing the business continuity plans, managing incidents, keeping your documentation, assisting in measurement, etc.

b) Tools for writing documentation – these tools help you develop policies and procedures – usually, they include documentation templates, tutorials for writing documentation, etc.

Pros and cons of automation tools

Automation tools are generally useful for larger companies – for example, using spreadsheets for assessing risks can be a problem if you have, e.g., 100 departments, because when you have to merge those results this becomes very difficult. Or, if you have 50 different recovery plans and you want to change the same detail in each of them, using a tool is probably much easier.

However, applying such automation tools to smaller companies can prove to be very expensive – most of these tools are not priced with smaller companies in mind, and even worse – training employees for using such tools takes too much time. Therefore, for smaller companies, performing risk assessment using Excel or writing business continuity plans in Word is a very quick and affordable solution.

There are some tools for which I personally see no purpose – for example, tools for keeping ISO documentation. For that purpose, larger companies will use their existing document management system (e.g., SharePoint), while smaller companies can upload the documentation to shared folders with defined access rights – it doesn’t have to be any more sophisticated than that.

Can you automate everything?

One important fact needs to be emphasized here: automation tools cannot help you manage your information security or business continuity. For instance, you cannot automate writing your Access control policy – to finalize such a document, you need to coordinate your CISO, IT department and business side of the organization, and only after you reach an agreement can you write this policy. No automation can do that for you.

Yes, you can semi-automate the measurement of success of particular controls, but again a human needs to interpret those results to understand why the control was performing well or poorly – this part of the process cannot be automated, and neither can the decision on which corrective or preventive actions need to be taken as a result of gained insight.

What to watch out for when looking for documentation writing tools

You won’t need tools for writing your policies, procedures, and plans if you already developed your documentation based on a framework that it similar to ISO 27001 – e.g., COBIT, Cybersecurity Framework, or NFPA 1600. Also, if you hired a consultant, then it will be his duty to write all the documents (see also: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant).

In other cases you will find documentation writing tools (i.e., documentation templates) quite useful because they will speed up writing your policies and procedures. The main question here is how to choose the right ones – here are a couple of tips:

  • Are they appropriate for your company size? If you are a small company and the templates are made for big companies, they will be overkill for you, and vice versa.
  • Which kind of help do you receive for writing documents? Are there any guidelines, tutorials, support, or anything similar that comes with the templates?
  • Experience of the authors? It would be best if the author has experience in both consulting and auditing, so that the templates are practical for daily operations, but also acceptable for the certification audit.

So, to conclude: yes – in most cases tools can help you with your ISO 27001 and ISO 22301 implementation. Since there are many tool providers in the market, make sure you perform thorough research before you decide to use one.

Author: Dejan Kosutic, Expert at 27001Academy, is the author of a documentation tool aimed at small and mid-sized companies: ISO 27001 & ISO 22301 Documentation Toolkit .

Comments (1)

Exploding the Myths Surrounding ISO9000 – A Practical Implementation Guide


10 Minutes with… ITGP author Andy Nichols – Exploding the Myths Surrounding ISO9000

by Leave a Comment

In our latest author interview, we meet Andy Nichols, author of Exploding the Myths Surrounding ISO9000 – A Practical Implementation Guide, and talk about quality management and certification.

ITGP: Thanks for speaking to us Andy. Let’s begin with your book. Most books on ISO9000 only cover the rules and requirements of ISO9000 and how you might implement it. Your book seems more ambitious. What was your thinking behind Exploding the Myths?

AN: I decided to write Exploding the Myths Surrounding ISO9000 as people are often confused about the purpose of implementing a quality management system to meet ISO9000, and what third-party certification involves. Some common myths have endured for more than 20 years – one of them being that ISO9000 is: “say what you do, do what you say”. I felt it was a good time to expose these myths and provide practical guidance on what an organization should consider, instead, when implementing ISO9000 and preparing for external certification.

ITGP: You felt there was confusion regarding the purpose of ISO9000 and certification?

AN: When I look at various online forums, people are posting questions about the basics of quality management and are clearly confused. Although, as you say, there are many books describing how to implement a quality management system, the background to ISO standards etc., these are mainly written from the theoretical point of view. Little has been written to address the “hearsay” which has accompanied the development of ISO9000 over the past 25 years.

ITGP: It sounds like this advice is long overdue and based on plenty of experience.  How did you get started in quality management?

AN: I began my career in Quality back in the late 1970s. We relied very heavily on inspection and QC in those days. Luckily, in the mid-to-late 1980s, I was responsible for developing a quality management system to meet a NATO contract requirement using AQAP-1, which is the “great grand daddy” of what we know as ISO9001 today. We did what the AQAP-1 quality requirements told us, and delivered fault-free equipment and installed it without a hitch. This allowed me to pursue roles as implementer, supplier, quality and certification body auditor, as well as consultant and trainer.

ITGP: So, you’ve been meeting customers’ quality requirements right from the beginning of your career?

AN: Yes. The experience of implementing a quality management system to meet a customer’s contract provided an excellent foundation for understanding the basics of implementing quality management systems, without the confusion of third-party certification.

ITGP: Based on all your experience, can I ask what advice you have for those just beginning to use and implement ISO9000?

AN: For those starting out in quality management, and evaluating implementation of ISO 9000 it’s important to remember that much of what is required is already being done, if you are satisfying your customers. What’s needed is some formality to those processes and activities which are working well and then to work on improving them. ISO 9000 brings about a maturity in the way an organisation operates and then requires that management takes a long hard look at its performance and asks what needs correction and what needs improving.

If any organisation finds itself doing something “because of ISO” or “to keep an auditor happy”, then they have to question why this is happening.

ITGP: One final question before we run out of time.  Are there particular parts of your work that you enjoy?

AN: In my position as certification body sales manager, I’ve found that assisting clients in understanding the certification process, what’s expected at each step and how to be successful is the most rewarding. Many organizations are new to the process of certification – even though they may have experience of customer audits, security audits etc. Being able to complete their knowledge, before they select a certification body and begin the process is enjoyable.

ITGP: I can appreciate that ensuring the client is properly informed is very important in making the right choices about ISO9000 and certification. I guess that’s also what made you write the book in the first place.  We’re out of time sadly, but many thanks for speaking to us.

AN: I appreciate the opportunity.

Exploding the Myths Surrounding ISO9000 – A Practical Implementation Guide

Leave a Comment

Do it yourself solution for ISO27001 implementation


ISO 27001 Do It Yourself Package

This is the do-it-yourself solution for ISO27001 implementation

Cyber crime is increasing exponentially, and this trend will continue as more business activities move online and more consumers connect to the Internet. ISO/IEC 27001 is the only international information security management Standard that can help your organization protect its critical data assets, comply with legislation and regulations, and thrive as customer confidence in its data security practices increases.

This package is aimed at organisations that have substantial management system expertise (with ISO9001, or ISO20000, for instance) and an understanding of information security management, as well as the necessary available internal resources and a corporate culture of keeping overall external costs down by following a do-it-yourself approach to project management.


This package does not include certification fees which are paid directly to the certification body.


The ISO 27001 do-it-yourself package contains:

The standards set out the requirements for best-practice information security management. The implementation manuals provide you with detailed implementation advice based on practical experience, which you can access in your own time and at your own pace.

Based on your needs, you may also need: ISO27001-2013 Gap Analysis Tool

Leave a Comment

ISO27001 2013 ISMS Gap Analysis Tool

Gap Assessment Tool

To transition from ISO27001:2005 to ISO27001:2013 you may need a Gap Assessment Tool to prioritize your implementation plan.

ISO27001 2013 ISMS Gap Analysis Tool, which quickly and clearly identify the controls and control areas in which an organization does not conform to the requirements of the standard.

Available for immediate dispatch/download from IT Governance, this tool will further your understanding of ISO27001 and identify where you are and why you are not meeting the requirements of ISO27001.

ISO27001 2013 high level review for making the transition

Comments (1)

8 Best Books That Every Budding #Hacker Must Read


Everyone knows that a hacker by extension is always a programmer. What many don’t know though is that there is a lot more to it. It’s not just about knowing the language. A hacking is mainly defined by his curiosity to know what is otherwise not to be known.

While the following books are on a subject of hacking, they cover a lot of in-depth knowledge on the subject which includes but not limited to examples and exercises. As an ethical hacker, it’s something you can never pass up and may need to know.


1. Hacking: The Art of Exploitation, 2nd Edition

Hacking is the art of creative problem solving, whether that means finding an unconventional solution to a difficult problem or exploiting holes in sloppy programming. Many people call themselves hackers, but few have the strong technical foundation needed to really push the envelope.

Rather than merely showing how to run existing exploits, author Jon Erickson explains how arcane hacking techniques actually work. To share the art and science of hacking in a way that is accessible to everyone, Hacking: The Art of Exploitation, 2nd Edition introduces the fundamentals of C programming from a hacker’s perspective.

The included LiveCD provides a complete Linux programming and debugging environment-all without modifying your current operating system. Use it to follow along with the book’s examples as you fill gaps in your knowledge and explore hacking techniques on your own. Get your hands dirty debugging code, overflowing buffers, hijacking network communications, bypassing protections, exploiting cryptographic weaknesses, and perhaps even inventing new exploits.


2. The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy

The Basics of Hacking and Penetration Testing serves as an introduction to the steps required to complete a penetration test or perform an ethical hack. You learn how to properly utilize and interpret the results of modern day hacking tools; which are required to complete a penetration test. Tool coverage will include, Backtrack Linux, Google, Whois, Nmap, Nessus, Metasploit, Netcat, Netbus, and more. A simple and clean explanation of how to utilize these tools will allow you to gain a solid understanding of each of the four phases and prepare them to take on more in-depth texts and topics. This book includes the use of a single example (pen test target) all the way through the book which allows you to clearly see how the tools and phases relate.


3. Metasploit: The Penetration Tester’s Guide

The author of this book David Kennedy is Chief Information Security Officer at Diebold Incorporated and creator of the Social-Engineer Toolkit (SET), Fast-Track, and other open source tools. Some see this book as a right of passage for anyone to be a hacker.


4. BackTrack 5 Wireless Penetration Testing Beginner’s Guide

Written in Packt’s Beginner’s Guide format, you can easily grasp the concepts and understand the techniques to perform wireless attacks in your lab. Every new attack is described in the form of a lab exercise with rich illustrations of all the steps associated. You will practically implement various attacks as you go along. If you are an IT security professional or a security consultant who wants to get started with wireless testing with Backtrack, or just plain inquisitive about wireless security and hacking, then this book is for you. The book assumes that you have familiarity with Backtrack and basic wireless concepts.


5. CEH Certified Ethical Hacker All-in-One Exam Guide

Get complete coverage of all the objectives included on the EC-Council’s Certified Ethical Hacker exam inside this comprehensive resource. Written by an IT security expert, this authoritative guide covers the vendor-neutral CEH exam in full detail. You’ll find learning objectives at the beginning of each chapter, exam tips, practice exam questions, and in-depth explanations. Designed to help you pass the exam with ease, this definitive volume also serves as an essential on-the-job reference.


6. Ghost in the Wire

Get complete coverage of all the objectives included on the EC-Council’s Certified Ethical Hacker exam inside . Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world’s biggest companies–and however fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. He spent years skipping through cyberspace, always three steps ahead and labeled unstoppable. But for Kevin, hacking wasn’t just about technological feats-it was an old fashioned confidence game that required guile and deception to trick the unwitting out of valuable information


7. America the Vulnerable

A former top-level National Security Agency insider goes behind the headlines to explore America’s next great battleground: digital security. An urgent wake-up call that identifies our foes; unveils their methods; and charts the dire consequences for government, business, and individuals.


8. CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide is an update to the top-selling SY0-201 guide, which helped thousands of readers pass the exam the first time they took it. The SY0-301 version covers every aspect of the SY0-301 exam, and includes the same elements readers raved about in the previous version.

Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action. The author uses many of the same analogies and explanations he’s honed in the classroom that have helped hundreds of students master the Security+ content. You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.

Over 450 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes a 100 question pre-test, a 100 question post-test, and practice test questions at the end of every chapter. Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.


Leave a Comment

Cyber Resilience Implementation Suite


Cyber security is not enough – you need to become cyber resilient


The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Whether you know it or not, your organization is under cyber attack. Sooner or later, a hacker or cyber criminal will get through, so you need to ensure that you have the systems in place to resist such breaches and minimize the damage caused to your organization’s infrastructure, and reputation.

You need to develop a system that is cyber resilient – combining the best practice from the international cyber security and business continuity standards ISO22301 and ISO27001.

This specially-priced bundle of eBooks and documentation toolkits gives you all the tools you need to develop a cyber-resilient system that will both fend off cyber attacks, and minimize the damage of any that get through your cyber defenses.

The books in this suite will provide you with the knowledge to plan and start your project, identify your organization’s own requirements and help you to apply these international standards.

The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Download your copy today

This suite includes:

Leave a Comment

Bestselling Books at Infosecurity 2014


by Lewis Morgan @ITG

It has now been a week since Infosecurity Europe 2014. This year was my first at Infosec, and I found it to be one of the most interesting and diverse events I have ever been to.

During my short time on the IT Governance stand, I spoke to several people who were showing a keen interest in our wide range of books. It was a common opinion that our range of books is one of the broadest in the industry – something of which we are very proud.

To demonstrate our range of books and their popularity, We have created the below list of the 5 bestselling books at Infosecurity 2014*. All of the following books are available in multiple formats.

PCI DSS Pocket Guide

    A quick guide for anyone dealing with the PCI DSS and related issues. Now also covers PCI DSS version 3.0.

ISO27001 / ISO27002 Pocket Guide

    Now updated for the 2013 editions of ISO27001/ISO27002, this pocket guide gives a useful overview of two important information security standards.

Governance of Enterprise IT based on COBIT®5

    A perfect introduction to the principles and practice underpinning the governance of enterprise IT using COBIT®5.

Penetration Testing -  Protecting Networks and Systems

    An essential guide to penetration testing and vulnerability assessment, which can be used as a preparation guide for Certified Penetration Testing Engineer exams.

Securing Cloud Services

    This book provides an overview of security architecture processes, and explains how they may be used to derive an appropriate set of security controls to manage the risks associated with working in the Cloud.


Leave a Comment

Information Security and ISO 27001-2013


The perfect introduction to the principles of information security management and ISO27001:2013

Most organizations implementing an information security management regime opt for systems based on the international standard, ISO/IEC 27001. This approach ensures that the systems they put in place are effective, reliable and auditable.

Up to date with the latest version of the Standard (ISO27001:2013), An Introduction to information security and ISO27001:2013 is the perfect solution for anyone wanting an accurate, fast, easy-to-read primer on information security from an acknowledged expert on ISO27001.

This pocket guide will help you to:

Make informed decisions

    By providing a clear, concise overview of the subject this guide enables the key people in your organization to make better decisions before embarking on an information security project.

Ensure everyone is up to speed

    Once you have decided to implement an information security project, you can use this guide to give the non-specialists on the project board and in the project team a clearer understanding of what the project involves.

Raise awareness among staff

    An Information Security Management System (ISMS) will make demands of the overall corporate culture within your organization. You need to make sure your people know what is at stake with regard to information security, so that they understand what is expected of them.

Enhance your competitiveness

    Your customers need to know that the information you hold about them is managed and protected appropriately. And to retain your competitive edge, you will want the identity of your suppliers and the products you are currently developing to stay under wraps. With an effective knowledge management strategy, you can preserve smooth customer relations and protect your trade secrets.

Download this pocket guide and learn how you can keep your information assets secure.



Leave a Comment

Competitive advantage with ISO 27001

ISO 27001 2013

Gain a competitive advantage with ISO 27001

by Neil Ford

We often talk of the operational benefits that conformance to ISO27001’s specifications will bring your organization, from the cost-saving advantages of increased efficiency to the peace of mind that a robust information security management system (ISMS) provides, but it’s important to remember that compliance with the standard also gives you a distinct competitive advantage, and will enable you to win new business as well as retain your existing clients.

Having the edge over your competitors is always beneficial, and when tendering for new contracts you want the best chance of success that you can get. Here’s how ISO27001 can help win you more business:

» ISO27001 is recognized in every country and every market in the world as the mark of highest competency in information security management. Prospective customers recognize this, and will often choose a supplier that holds an ISO27001 certificate over one that doesn’t.

» In the UK, requests for quotations and tender requests from public sector organizations including the MoD, the NHS and local authorities will ask that the supplier be compliant with ISO27001 or, if it is not, demonstrate the required information security measures by completing a long questionnaire or submitting to an inspection. Conformance to ISO27001 saves considerable time and money in the required due diligence of tender applications. (To be accepted by the MoD as an approved Enhanced Learning Credit (ELCAS) training provider, IT Governance Ltd was asked to be fully compliant to ISO27001.)

» ISO27001 itself recommends that compliant organizations maintain supply chain relationships with ISO27001-compliant suppliers. If you are looking to form trading relationships with larger ISO27001-certified commercial enterprises, you will need to be compliant with ISO27001 too.

» In the IT service industry, where the protection of data is paramount to winning and maintaining the trust of customers, an ISO27001 certificate is the only credible demonstrable of effective information security.

The implementation of an ISO27001 ISMS brings numerous recognized long-term benefits for your organization, and will pay for itself several times over in the extra business you win as a result of your certification. IT Governance supplies a wide range of ISO27001 products and services to help you achieve that end.

Leave a Comment

SEO Powered By SEOPressor