Reading Time: 2 minutes

The proof of the pudding

When any organisation claims “Your information is safe with us!” you should ask them to prove it. But how can any organisation definitively do that? Well, one way is to go high and apply for the ISO 27001 information security accreditation.

As a web design, web development, web hosting and web support agency, we consider ourselves pretty nifty at all things information-ey, so we did just that. We set about applying for ISO 27001 accreditation. Not only to have a way of proving that your information really is safe with us but, more significantly, so that we could prove this to ourselves, exposing our then existing information security practices to the highest possible scrutiny.

The International Standards Organisation

The International Standards Organisation (ISO) are a universally respected international standard-setting body composed of representatives from various national standards organisations. Founded in 1947, the ISO promotes worldwide proprietary, industrial and commercial standards, including standards for information security. Attaining ISO accreditation for anything is a seriously high bar and their 27001 certification for information security is no exception.

The ISO 27001 Standard for Information Security

To achieve ISO 27001 accreditation an organisation, in essence, must assess all and any security risks associated with all and any information (and it’s systems) that the organisation controls or processes. Any unacceptable risks born of this risk analysis are then subject to risk treatments in the form of “controls”. Risk treatments, then, represent the application of controls designed to remove or mitigate information security risks. This is a front to back, top to bottom process leaving no information stone unturned.

What’s more, this risk analysis, the beating heart of the matter, must be housed in a body of tightly controlled documents, demonstrable leadership commitment, employee information security awareness and training, and robust information security processes, procedures & policies. In all it took us 7 months and hundreds of agency hours to produce our 250 page application in the form of The Pragmatic Information Security Management Manual (available on request).

Even if we do say so ourselves

A couple of weeks ago The British Assessment Bureau came to our offices to audit us for information security. Since it was our first time we were a little nervous but, as it turned out, that was needless. We smashed it out of the park, passing with a sum total of 0 “non-conformities”. Not one. A clean sheet. Flying colours, you might say.

Therefore Pragmatic is now fully ISO 27001 accredited and can say with great confidence that “Your information is safe with us” and, what’s more, we can prove it.