Archive for the ‘Information Security’ Category

Gain a competitive advantage with ISO 27001

April 2nd, 2014 by

We often talk of the operational benefits that conformance to ISO27001’s specifications will bring your organisation, from the cost-saving advantages of increased efficiency to the peace of mind that a robust information security management system (ISMS) provides, but it’s important to remember that compliance with the standard also gives you a distinct competitive advantage, and will enable you to win new business as well as retain your existing clients.

Having the edge over your competitors is always beneficial, and when tendering for new contracts you want the best chance of success that you can get. Here’s how ISO27001 can help win you more business:

  • ISO27001 is recognised in every country and every market in the world as the mark of highest competency in information security management. Prospective customers recognise this, and will often choose a supplier that holds an ISO27001 certificate over one that doesn’t.
  • In the UK, requests for quotations and tender requests from public sector organisations including the MoD, the NHS and local authorities will ask that the supplier be compliant with ISO27001 or, if it is not, demonstrate the required information security measures by completing a long questionnaire or submitting to an inspection. Conformance to ISO27001 saves considerable time and money in the required due diligence of tender applications. (To be accepted by the MoD as an approved Enhanced Learning Credit (ELCAS) training provider, IT Governance Ltd was asked to be fully compliant to ISO27001.)
  • ISO27001 itself recommends that compliant organisations maintain supply chain relationships with ISO27001-compliant suppliers. If you are looking to form trading relationships with larger ISO27001-certified commercial enterprises, you will need to be compliant with ISO27001 too.
  • In the IT service industry, where the protection of data is paramount to winning and maintaining the trust of customers, an ISO27001 certificate is the only credible demonstrable of effective information security.

The implementation of an ISO27001 ISMS brings numerous recognised long-term benefits for your organisation, and will pay for itself several times over in the extra business you win as a result of your certification. IT Governance supplies a wide range of ISO27001 products and services to help you achieve that end.

ISO27001 Certified ISMS Foundation Training Course

The one-day ISO27001 Foundation Course provides a complete introduction to the ISO27001 standard and explains how and why compliance to ISO27001 can help your company win new business with larger firms and public sector organisations including the MoD, the NHS and local government.

Transition to ISO 27001:2013 with the help of online training

April 1st, 2014 by

For those wishing to transition their information security management system from ISO27001:2005 to ISO27001:2013, it can be quite a daunting process. A number of these questions may have passed your mind…

  • What are the new changes?
  • How am I going to implement them?
  • When should I start implementing the new standard, in order to meet the deadline?
  • Does my current ISMS still apply?
  • Why is the Continuous Process Improvement so important this time round?

So, instead of trawling through the internet, looking for answers to your never-ending stream of questions, why not set a day aside and book your place on IT Governance’s ISO27001 2013 Certified ISMS Transition Live Online Training Course? Taught by Alan Calder, qualified senior ISMS consultant and founder and executive chairman of IT Governance Ltd, this one day, fully interactive training course will develop your knowledge and give you practical advice for transitioning to the new standard.

With the next training date running on April 10th 2014, this is the perfect time to understand the requirements fully before you undertake the transition to ISO27001:2013.

Book your place today >>

List of Data Breaches and Cyber Attacks in March

April 1st, 2014 by

Once again, cyber criminals have been very busy. In March there have been several high profile breaches such as that of Morrisons and the California DMV. Whilst this list may appear long, it is only a snapshot of the true number of breaches and attacks that occurred in March.

Data Breach

Devices stolen from Palomar Health staffer, data on 5K patients at risk

Morrisons employee arrested following data breach involving details of 100k staff

CD in refurbished drive contained unencrypted info on 15K NYC transit workers

Iowa DHS data breach dates back 2008, more than 2,000 impacted

Malware on Wisconsin university server storing info on 15K students

More than 1,000 UK HealthCare patients impacted by stolen laptop

About 55K in San Francisco impacted in theft of Sutherland computers

Another two universities suffer data breaches, but notification still too slow

Hackers steal 12 million customer records from South Korean phone giant

Cardholder Data

Malware in 34 Spec’s stores, payment data compromised for 550K

Credit Card Breach at California DMV

Personal info ends up online, nearly 9,000 Ohio patients affected

Other Attack

EA Games website hacked to phish Apple IDs from users

NATO website hit hard by denial-of-service attack as Crimean tension rises

Russia Today website hackers tweak headlines, replace with word “Nazi”

Hootsuite suffers DoS attack

Bitcoin user loses $10K to typosquatters

AnonGhost hackers deface a fake bank site DDoSed by extortionist, refuses to pay ransom

The key to improving your cyber security defences and protecting yourself from the emerging cyber threats, is to know what your vulnerabilities are. Find out how to protect your organisation by attending this webinar – What every IT professional needs to know about penetration tests’ on 03/04/14 at 3:00pm GMT.

How ISO 27001 can Protect Homeland Security

March 20th, 2014 by

Cyber security is a key topic on the US Department of Homeland Security’s agenda. Not only is it recognized as a serious threat to the government, it also effects our everyday lives; we rely on a vast array of networks and infrastructure to power our homes, travel, communicate, and run our economy as well as provide government services.  President Obama poignantly stated in one of his latest speeches:

“Cyber threat is one of the most serious economic and national security challenges we face as a nation.”

So how can corporations throughout America protect their livelihoods, as well as the safety of their customers, from vicious cyber attacks? How can Amtrak ensure we get to work on time? How can T-Mobile ensure we always stay in touch with people? How can Bank of America ensure our money is kept safe?

We’ve already seen what effect cyber attacks can have on US corporations: who can forget the great hacks of Sony, Adobe and Target which left millions of users vulnerable after their confidential details (names, addresses, card details etc.) were exposed online? It’s now only a matter of time before cyber attacks start affecting our critical infrastructure.

Last year, Homeland Security Secretary Janet Napolitano warned that, “Our country will, at some point, face a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.” 

Not only do we need a combined approach to cyber security, corporations need to take steps to do what is right by their country and their customers. ISO/IEC 27001:2013, the internationally accepted cyber security standard, provides best-practice requirements for an information security management system (ISMS) to help make your information more secure.  Already used by over 550 American corporations (2012), this standard is experiencing an average 30% increase in adoption each year throughout the US.

By implementing ISO27001, corporations can benefit from more secure systems, and the opportunity to win new business and gain trust from existing customers because of their increased level of security.

No standard, process or piece of software can completely protect your business from a cyber attack, but implementing an additional precaution to guarding your information can significantly reduce the chances of your being hacked and mitigate the effects of any attack.

To discover more about ISO27001, download our free Information and ISO27001 green paper.

If you are already thinking of implementing ISO27001 into your ISMS, take a look at the ISO27001:2013 ISMS Standalone Documentation Toolkit. This provides pre-written documentation which makes creating and managing your ISO27001-compliant ISMS straightforward.

Cyber War has already started! (The Criminals just didn’t tell you.)

March 17th, 2014 by

Aerial assault


This post is about why you should book a place at our Cyber War London Event:

Event: ISO27001:2013 and PCI DSS V3: new Standards in the Global Cyber War (Churchill War Rooms, London, 8 May 2014)

If you are a C-Suite manager and you care about your organisation’s reputation, commercial advantage, share price and the cash in the bank… then I recommend that you join us in the bunker. [SFX: Air Raid Sirens] Read on…

Cyber War will not start at Midnight… it’s raging now. Are you in the fight?

Shocking though it is to report, the growing number of organised gangs and rogue states behind the escalation of cyber crime did not issue a media announcement before hacking into the systems of profitable businesses.

Global hacking without declaring a State of War? How jolly unsporting!

After all, you’re not meant to go around the Maginot Line. We’ve spent billions building firewalls and routers, installing intrusion protection and SIEM software, and now they are evading our best efforts by simply attacking us on the Cloud and infecting the CEO’s BYOD at home. Cheats!  

Windows XP support will end: which organisations are actually ready?

The fact is, war on the internet is not due to start at midnight on a future date, like the one on which Microsoft finally withdraws patch updates for Windows XP (8th April 2014) – even though there are still ATMs that are running this stable and much-loved Operating System from a different age.

I’ve just bought Windows 8.1 myself. I realise that I was clinging to the technology that I knew. It’s actually quite good so far, despite bad press. That’s the trouble though, isn’t it? Our perception wanes as we grow a bit older. We want to fight the last war, not this one. It’s a natural mistake for all politicians, business leaders and organisational decision-makers to make.

Even in the mid-1930s the Royal Air Force’s front-line fighters were biplanes, little different from those employed in the First World War. The rearmament programme [NF1] enabled the RAF to acquire modern monoplanes like the Hawker Hurricane and Supermarine Spitfire, such that sufficient numbers were available to defend the UK in the Battle of Britain in 1940 during the early stages of World War II. In the British Parliament, the case for rearming was championed by the man who later came to lead the nation in a time of total war: Sir Winston Churchill, whose Cabinet War Rooms we will be commandeering (courtesy of the Imperial War Museum).

Thursday, May 8th, 2014: a date that will go down in your company’s history?

At 09:30 on May 8th, our event will begin. After an introduction by our Executive Chairman, Alan Calder, our keynote speaker, Neira Jones, will begin speaking on the subject of:

“The Global Cyber War: Using ISO27001:2013 and PCI DSS Version 3 to drive business, cost and security improvements”.

Her point will be that security isn’t necessarily a cost; it can be profitable to think in terms of protecting your own and your customers’ private data.

In the course of the day other cyber security experts, including UKAS technical advisor on Information Security, Steve Watkins, Bridget Kenyon, the Head of Information Security at University College, London, and Geraint Williams, a QSA and leader in the field of PCI DSS compliance, will explain what your organisation needs to do to protect its confidential data and achieve ‘cyber resilience’ – the cyber age equivalent of ‘Business As Usual’.

What can we do about Cyber Security – assuming that we are not doing it?

I sympathise with the C-Suite and senior IT managers over this question. There are as many answers as there are suppliers of software, hardware, technical services, consultancy and the gamut of training options out there.

Not surprisingly, everybody with a vested interest is claiming that they have the weapons that you need to defeat the terror of the cyber criminals. The noise from their marketing campaigns, strident ‘fear, uncertainty and doubt’ messaging and loud calls to action are in danger of defeating us all.

But wars are not won with new weapons alone. Technology often tips the balance in favour of one side or the other, just as a well-trained army with a high level of morale has a better chance of overcoming a poorly-prepared and frightened group of raw recruits. But in the end, the winners in the game of war are more likely to be those that understand the need for their people, processes and technology to work in a coordinated, strategic way.

So what measures should we be taking to protect our business interests?

First: think ‘People, Process and Technology’. (Note: not just Technology).

Second: do not fall into the trap of thinking that your organisation is too low-profile/small/not in an ‘at risk’ business sector to be a victim of crime.

Cyber attackers seek out vulnerabilities: if your system has them, attackers will exploit them. Sooner or later (and it may already have happened), you will join the burgeoning list of enterprises that have suffered a security breach.

Would you like to book your place? The cost is only £45+VAT.

For just £45 you could receive some of the best advice that you will hear in your career: advice that could help you to resource where needed, train staff across your organisation, and put in place procedures and controls to enable you to manage cyber security in line with HM Government’s advice.

In Churchill’s words:


Book your place now

Want our expert help, but can’t make this date? Then…

Read our page on Cyber Health Checks – find out if you need to close gaps in your own cyber security to be compliant with the Cyber Hygiene Profile.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS) to help you comply with PCI DSS Version 3.0, talk to our consultants on 0845 070 1750.

Bookmark this page as well!


Raising UK Cyber Security Standards

February 19th, 2014 by

HM Government logo 20140218

Basic Cyber Hygiene Profile discussed in public at ISO27001 User Group, BSI Headquarters (14th February, 2014).

The UK Government’s ‘Basic Cyber Hygiene’ Profile is out in draft (v0.12) is circulating.

What is it?

In the words of the department for Business, Innovation & Skills (BIS), the Basic Cyber Hygiene Implementation Profile (a 16-page A4 document) is described as “…a key deliverable as part of the UK’s National Cyber Security Strategy / Cyber Programme”. It represents one of (potentially) several such profiles to help organisations manage the variety of business issues introduced by “the growing number of cyber threats”.

Who is this Cyber Security Profile for? And why should I/we be interested?

This implementation profile has been developed for all types and sizes of organisation, as they all need to protect themselves against low level cyber threats. Measures to address low level cyber threats described in this profile are considered to be the “absolute minimum” that any organisation connected to the Internet needs to have in place and sustain. It is therefore assumed (rightly, I judge) that this profile will be “…of interest and relevance to a broad range of individuals that have responsibility for protecting the organisation against low level cyber threats, including business owners, business executives, business managers, IT specialists and security practitioners”. But will it be widely adopted by smaller firms?

I asked the BIS to comment on this and other issues raised at the User Group, and their response below should be of interest to all UK businesses:

Q: What is the Cyber Hygiene Profile?

A: The Cyber Hygiene Implementation Profile is considered by HMG to “help businesses follow best practice in basic cyber hygiene and mitigate risks at the low-threat level”.

Q: Will HM Government specify the Profile in contractual relationships?

A: HMG will specify the Profile in contractual relationships with its suppliers where it is proportionate to do so, either in reference to best practice or as a requirement in terms of adequate cyber security best practice.  In addition, HMG is encouraging adoption amongst major market sectors, including within companies’ own supply chains.

Q: Will other implementation profiles follow – and who will they be for?

A: It is anticipated that this Implementation Profile will be one of a suite of publications developed for other scenarios which might include the use of cloud services, for example.

Q: When will the Basic Cyber Hygiene Profile be published?

A: The Cyber Hygiene Profile will be made available by the 31st of March, after which the Government will continue to engage with industry on further developments.

So, you have answers to some important questions, courtesy of the BIS!

How will the Basic Cyber Hygiene Profile work? – What does it consist of?

To make the advice relevant to different sizes of enterprise, BIS define three Categories which form a set of all organisations ranging from individual user or very small organisation (Category 1; 1 to 10 users) – what I would term a ‘microbusiness’ – through small organisations (Category 2; less than 250), to large/complex organisations (Category 3). Large enterprises of course represent the majority of the ISO27001 certificates issued on a global basis, although the trend may well be towards a larger number of SMEs adopting and certifying to the Standard.

SMEs are rarely ISO27001 registered; although it is fair to say in our experience, the ones that have gained a certificate are very proud of it and use it as evidence of their high standards of cyber/information security. But what of the others? Will this Cyber Hygiene Profile obviate the need to be ISO27001:2013 compliant when it comes to winning Government work?

Will the Implementation Profile approach work to address cyber security?

The Cyber Hygiene Profile is ‘Basic’ and to ignore these fundamental security activities would be frankly irresponsible – boarding on reckless.

While 80% of the threat to systems could be dealt with through good information assurance practice – such as keeping security “patches” up to date – the remaining 20% was more complex and cannot simply be solved by building “higher and higher” security walls (the first of the 5 ‘topics’ covered in the Profile). The head of GCHQ, Iain Lobban, said in a BBC News article on October 2010 that the country’s future economic prosperity rested on ensuring a defence against assaults to our critical infrastructure.

This definition includes national power grids and the emergency services that face in Sir Ian’s words a “real and credible” threat of cyber-attack. Critical infrastructure also includes sectors such as financial services, government, mass communication, health, transport, and food and water – all of which are deemed necessary for delivering services upon which daily life in the UK depends. A high proportion (most?) of these critical assets are in some way supplied by smaller enterprises, so the risk factor is there.

SMEs need better cyber security – but can they actually afford to improve?

Many SMEs are at risk because of uncertainty over their security and cyber-attack threats, according to a study published by the Ponemon Institute in November 2013. The Risk of an Uncertain Security Strategy study polled 2,000 SMEs globally, of which 58% of respondents said management does not see cyber-attacks as a significant risk to their business.

The same study found that some 44% reported IT security is not a priority, while 42% said their budget is not adequate for achieving an effective security posture and only 26% said their IT staff have sufficient expertise.

Will the new BIS Basic Cyber Hygiene Profile work for British Industry?

As the wise person said: ‘A journey of a thousand miles begins with a single step’. But it is just that. The Implementation Profile is ‘Basic’ in the extreme, intended only to provide a consistent approach to low level threats. And it’s worth reflecting that it isn’t just Government that wants better cyber security; many of the world’s leading enterprises and their Tier 1 suppliers are increasing nervous about dealing with SMEs that cannot demonstrate their compliance. Large enterprises don’t want to throw away years of costly investment in information security best practice by connecting their servers to organisations that have few/no IT policies, procedures and controls. Moreover, they have a global reputation to protect that is worth far more than supplier relationships with small firms.

Cyber Security is Global. The USA will soon be introducing a new Standard

In an article in InformationWeek Government, the US standard is seen as a must-have requirement: “Why Businesses Can’t Ignore US Cybersecurity Framework” by Wyatt Kash describes the Framework for Improving Critical Infrastructure Cybersecurity in the following terms:

“…the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who’ve combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.”

One wonders how many UK organisations will have the opportunity to comment on the UK Government’s Implementation Profiles, starting with Basic Cyber Hygiene? More importantly, will there been a serious attempt to bring SME organisations into the process of defining what constitutes an acceptable minim standard?

Read our page on Cyber Health Checks – find out if you need to close gaps in your own cyber security to be compliant with the Cyber Hygiene Profile.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS), talk to our consultants by calling: 0845 070 1750.

Bookmark this page as well!

McAfee CTO: Cyber Criminals Target SME’s

February 13th, 2014 by

This week – in an article in the Financial Times – McAfee CTO Mike Fey stated that small businesses have become an easy target for cyber criminals because of their lacklustre approach to cyber defences.

SME’s are often guilty of not keeping software protection up to date, ensuring basic cyber training is given (for example awareness of phishing scams) and identifying risks when new technology (including mobile devices) is brought into the business

Mr Fey also commented on how sophisticated technology was being used not only against large corporations:

“Small- and medium-sized businesses are nice easy targets – and you can attack 2,000 small businesses at once,” he said. “We’re starting to see stuff which may have been built for very sophisticated industries put to all sorts of minor use cases.”

One of the most interesting points that Mr Fey made was the misconception by SME’s that they had nothing cyber criminals wanted. What smaller businesses fail to recognize is that cyber criminals are indiscriminate, using automated technology which exploits vulnerabilities wherever they find them.

It doesn’t matter if you’re Sony, Target or the local flower shop’s website. If a weakness is found criminals will exploit it, whether it’s intellectual property, credit card numbers or access to a larger network (as was the case in the Target breach, which started with a hack of one of their vendors networks).

One final thought. Contrary to what to what you might think hackers and cyber criminals do not require sophisticated skills. On the internet there are freely available hacking toolkits complete with simple instructions and even customer support. If you can read, you can hack. It’s that simple.

The question is, now you know you’re at risk (it’s nothing personal) what are you going to do about it?

The Cyber Security Risk Assessment Tool is an in-expensive (just $100) way of identifying your current levels of cyber security.  It will provide you with a clear idea of your current risks, your exposure and what gaps you need to close.

Online ISO 27001 Lead Implementer Training

February 11th, 2014 by

If you are serious about implementing an information security management system (ISMS) to protect your business, then aligning it to ISO 27001, the world’s only recognised ISMS standard, is advisable.

Our ISO27001 Certified ISMS Lead Implementer Online Training Course will provide you with live and interactive online training, covering all aspects of implementing and maintaining the standard.

Based on our highly successful UK class-room training course, this online interactive course is delivered in real-time by Alan Calder, widely-acknowledged information security guru.

ISO27001 Certified ISMS Lead Implementer Online ISO27001 Certified ISMS Lead Implementer OnlineNext training date: 4-6 February 2014

Price: $1,499

Learn more

On completion of this online course, you will not only receive a recognised CIS LI certificate from the International Board for IT Governance Qualifications (IBITGQ), you will have a practical understanding of implementing and maintaining an ISO 27001 ISMS.

Book your place today >>

Major US hotel management firm discloses data breach

February 11th, 2014 by

White Lodging, who provide a range of hotel management and development  services, has come under the spotlight as it investigates a possible data breach across 14 of its properties.

The firm, who manage hotels for brands such as Mariott, Holiday Inn and Radisson across America, believe the suspected credit and debit card breach occurred between March 20 and December 16 at the hotel’s food and beverage outlets. White Lodging have said that the information that was compromised could have included names on credit or debit cards, the full number on the card, security codes and expiration dates.

Customers of these hotels will  now start to question if their card was breached and doubt their loyalty to the hotel chain itself, even though they were not the ones to suffer the breach. Mariott, Holiday Inn and Radisson are now associated with the breach and will most likely suffer brand damage, loss of customer trust and loss of revenue.

This latest data breach to reach the headlines really hits home for organizations of the fact that  your supplier’s information security procedures are as important as yours. How they store, transmit and process your customer’s confidential data can have a significant impact on how your customer values you, as a brand.

ISO 27001 is recognized globally as the world’s only information security standard. By selecting suppliers who are already certified to this standard will bring increased levels of information security, customer and stakeholder confidence, resulting in a significant advantage over your competitors.

IT Governance, America’s information security and governance specialists, provides a range of books, standards, tools and training to help organizations implement best practice information security standards to better secure their information.

Their ISO27001 2013 ISMS Standalone Documentation Toolkit provides a cost-effective and time-saving solution to implementing the standard by providing pre-written policies, procedures and work instructions and records. Find out more >>

If you would like to increase your levels of information security, then purchase this toolkit to help you implement an information security management system which is in line to ISO 27001.

Alternatively, if you would like to find out more about ISO 27001 when sourcing suppliers, download our free green paper on the subject.

Source: USA Today

What’s in the HM Government Cyber Security Standard (due March 2014)?

January 10th, 2014 by

Prevent cyber-crime and make the UK a safer place to do business, as advised by Whitehall!

The UK Government is developing an industry-led kite mark-style standard for cyber security. The focus is on essential steps that all businesses should be taking to protect themselves from low-level threats. In a speech outlining the Government’s cyber security progress, Cabinet Office Minister Francis Maude said that all central government departments will be expected to adopt this standard for their own procurement from 2014.

So what’s in this new UK “kite-mark style” standard for cyber security?

Sorry to be a tease, but as of the 8th of January, the people who have a clue about what the new HM Government Cyber Security Standard will contain in precise detail are not telling. And at this point, if you are planning to skip the rest of this homily, don’t. There are some very good reasons for getting busy in 2014 on the slippery topic of cyber security and how to go about it. In particular, you need to evaluate your stance on ISO27001:2013, the new and much more flexible version of the ISO27001 standard that is the most widely adopted, internationally-accepted standard for information security. Because if your organisation hasn’t already gained ISO27001 certification, it is missing out on opportunities to work with the organisations that have!

We have IT security already. Why do we need a ‘cyber security standard’?

To quote Malcolm Marshall, UK and global leader of the Information Protection and Business Resilience team at consultants KPMG:

“As governments worry about the scale of the cyber security threat, we can expect to see more national standards emerge, and greater pressure for ‘voluntary’ compliance. The US NIST cyber security framework and the UK government’s ‘kitemark’ are just two examples.”

Malcolm believes governments will put more emphasis on business compliance with regulations over the next year. I think that he’s right.

Isn’t Cyber Security just another Government ‘hoop to jump through’?

Well, of course, if you do serious business with Governments, and the US and UK central departments in particular, you had better know about this – and if you want to win/maintain procurement contracts, you would be pretty silly to ignore these standards. Admittedly, not every business has a need to do so. There are plenty of internet businesses for example that operate globally and care very little what particular jurisdictions require.

Whatever you think of governments, though , and this commentator is as sceptical as the next IT literate Nerd, one of their more acceptable roles is to enact Law that protect citizens from thieves who don’t play by the rules.

However, even if your business life has nothing to do with government contracts, you still need to know about the reasons for these standards (i.e. the threats posed), even if the motivation is largely voluntary (as yet).

The UK Government’s Cyber Crime initiative is a worthy attempt to ‘govern’ sensibly, by investing in agencies that can help to fight back against increasingly sophisticated gangs of robbers and recommend best practice.

Backed by industry, it is stated that the “kitemark-style standard” [Source: BIS press release] will be launched early next year (March 2014), as part of the £860 million cross-government National Cyber Security Programme.

IT Governance will be discussing how best to tackle the growing threat. Our aim is to assist the government’s mission by working with our clients in industry to comment on and help develop an official “cyber security standard” which will help stimulate the adoption of good cyber practices.

ISO27001:2013 – just too big and expensive for the smaller enterprise?

It has been claimed by some lobbyists that ISO27001 in particular too unwieldy, complicated and expensive to satisfy the requirements of cyber security in the private sector. Can small companies with fewer than 20 employees achieve ISO27001 certification for an affordable amount of money? – An international Standard that could help them to win business?

You are cordially invited to attend our one day event to held jointly with UKAS-accredited Certification Body, NQA, to find the answers for yourself.


Costing just £35+VAT per delegate this event will help you to determine your cyber security readiness and protect your organisation from the hacking threat – regardless of which of the standards or recommendations you implement.

Learn about the cyber security standards adopted globally, and why ISO27001 is the world leader. Plus what you can gain through adoption of management system standards that can help to position your enterprise.

One of our ISO27001 Consultancy clients, Andy Shettle, set up an SME business that relies more on his skills and the internet than a large staff, – and yet he chose to certify to ISO27001. He also did this for under £5,000.

To quote the entrepreneur:

“The requirement from our clients is to be secure and by planning and implementing an ISO27001-compliant information security management system (ISMS) we are able to offer complete confidence. With cloud deployments increasing, prospective clients of Workforce Metrics are seeking further assurances around IG and ISO27001 is an internationally recognised standard, so it was vital that we had it.” (Andy Shettle, Managing Director, Workforce Metrics:

(To find out how he gained UKAS-accredited ISO27001 certification, you could do worse than read the IT Governance case study: Workforce Metrics achieves ISO27001 certification in only three months for under £5k!

It’s FREE, and ready for you to download now!)

So what has changed over last year that means we need Cyber Security?

A lot.

The trends that Andy Shettle has identified are also on the IT Governance radar and I suggest that we all need to factor a standards-based approach in our current and future planning.

Want to find out how to implement an international ‘cyber security standard’ called ISO27001, and be the real winner among your competitors, regardless of which technology you chose to adopt (or are forced to accept, because the waters around you have grown) in 2014?

Our one day event – held at NQA in Houghton Regis, Central Bedfordshire – will help you to understand how to use ISO 27001:2013 to fully account for cyber security and information security issues.

Best advice: book as fast as you can!

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ICMS), talk to our consultants by calling: 0845 070 1750.

Bookmark this page as well!

%d bloggers like this: