Standard ISO/IEC 27001
Information Security Management
To ensure the security of sensitive information such as personal data of employees or clients, financial data, intellectual property, or any other information deemed sensitive, organizations holding this information must take appropriate steps to protect it from loss, theft, or alteration, and to protect their computer systems from any type of disaster or intrusion.
They can achieve this by meeting the requirements specified in ISO/IEC 27001 Information Security Management.
ISO/IEC 27001, the product of an international consensus, describes the implementation within an organization of an Information Security Management System (ISMS). This standard specifies international best practice and offers organizations a systematic approach for preserving the confidentiality, integrity, and availability of information, while helping them to limit the risks, costs, and damage linked to poor information security management.
The ISMS comprises policies, procedures, and security measures which must be appropriate and proportional to the risks incurred. ISO/IEC 27001 certification will increase the confidence of your organization and reassure your clients, suppliers, and employees since it will demonstrate that you have put into place the necessary means to protect the sensitive information in your possession.
ISO/IEC 27001 has several elements in common with other ISO standards; for example, the management system presented dovetails nicely with other management systems such as quality management (ISO 9001).
Certification Offer
Organizations wishing to have their information security management system recognized should contact the BNQ, whose certification program for information security management systems is accredited by the Standards Council of Canada (SCC).
To qualify for ISO/IEC 27001 certification, organizations shall demonstrate to the BNQ that they meet the requirements of the standard. These requirements cover:
- context (needs and expectations of stakeholders, limitations and applicability of the ISMS, etc.)
- leadership (information security policy, roles, responsibilities, authorities, etc.)
- planning (measures to be implemented in response to the risks and opportunities, information security objectives, plans to achieve the objectives, etc.)
- support (resources, abilities, training, communication, documentation, etc.)
- operational activities (operational planning and control, risk assessment and treatment regarding information security, etc.)
- performance appraisal (monitoring, measuring, analyzing and assessing, internal audit, management review, etc.)
- system improvement (noncompliances, corrective actions, ongoing improvement, etc.).
At the BNQ, the certification process for information security management systems adheres strictly to the applicable accreditation requirements. The certification cycle is a three-year cycle during which maintenance audits are performed at twelve-month intervals. The process begins with an initial application for certification submitted by email using the application form provided for the purpose (see link below: “Download the document required for certification”). Once the service contract between the BNQ and the client has been signed, and the requisite documentation pertaining to the client’s information security management system has been sent to the BNQ, the name of the auditor responsible for the audit is communicated to the client. To begin with, a preliminary assessment is carried out to measure the level of preparedness of the client, notably through the review of the documents submitted. The conclusions of this preliminary assessment are communicated to the client in the form of a written report in which an initial judgement is given as to the conformity of the system to the documentary requirements of the standard, and to the level of the client’s comprehension and implementation of the requirements of the standard. Should the assessment be favourable, the lead auditor prepares an audit plan and sends it to the client. The auditor then carries out an initial onsite certification audit during which relevant information pertaining to the requirements of the standard is collected and verified. This information is collected by means of interviews, the observation of activities and the work environment, and the consultation of documents on the spot. The client is informed of the auditor’s findings as the audit progresses, and these are also found in the written report summarizing the auditor’s conclusions. Any discrepancies observed during the audit may be subject to corrective action requests (CARs), which may be major or minor depending on the significance of the impact of the discrepancy on achieving the objectives of the standard. CARs must be closed (in other words resolved) within 30 days following the audit. The decision to certify the information security management system or not is based on the recommendation of the lead auditor, along with the revision of the file by the BNQ, in order to ensure that all certification conditions have been met. Following a favourable decision by the BNQ, a certificate of conformity is sent to the client, who agrees to undergo a first maintenance audit within twelve months from the first day of the initial certification audit. Accredited by the Standards Council of Canada (SCC), the BNQ has always shown exemplary diligence regarding decision-making and certification recommendation. Our international accreditations guarantee that the BNQ’s procedures and practices are carried out in compliance with the regulations of the International Organization for Standardization (ISO), the International Accreditation Forum (IAF), and the World Trade Organization (WTO). Choosing the BNQ’s ISO/IEC 27001 certification program means: Webinaire Webinaire Nancie Carrière
Présentation (PDF)
Présentation (PDF)
Sales Technician
Bureau de normalisation du Québec
Tel.: 418-425-1676