Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).


What is an ISMS?

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

It can help small, medium and large businesses in any sector keep information assets secure.

About ISO 28000 & its Benefits

ISO 28000 is an international supply chain security management system standard.
Most organisations rely in some way on their supply chain to ensure business continuity and they are vulnerable if supplies are interrupted. To help prevent this and manage security risks in this current volatile world, ISO has published ISO 28000; with valuable and extensive inputs from Lloyd's Register.
Securing cargos against theft and terrorist attacks is more important now than ever. In the wake of 9/11, a number of new standards were created containing specific requirements for different regions and transportation routes. The new ISO 28000:2007 standard has been created as an internationally valid standard and combines the different existing requirements in one comprehensive set of rules.
ISO 28000 is an international supply chain security management system standard.  It offers organisations working within, or relying on, the logistics industry, a framework that identifys aspects critical to the security assurance of their supply chain.  These aspects include, but are not limited to, financing, manufacturing, information management and the facilities for packing, storing and the transferring of goods between modes of transport and locations.
ISO 28000 is a management system specification which has been developed specifically for logistics companies and organisations that manage supply chain operations. This specification was published by The International Standards Organisation (ISO) in September 2007.
ISO 28000 is suitable to all sizes and types of organisation that are involved in purchasing, manufacturing, service, storage, transportation and/or sales processes that wishes to implement and maintain a secure management system for their supply chain.
In today’s global economic landscape, security management has become a complex challenge in all areas of industry and, in particular, supply chains. Logistic operations and supply chain partners are often scattered worldwide with varying national regulations and business processes. Companies would
like to assure security while identifying potential threats, assessing risk and implementing measures to prevent any risks and threats affecting the success of their business.

ISO 28000 was developed in response to the transportation and logistics industries’ need for a commonly applicable security management system specific to supply chain security. However, companies in many other industries are finding it useful to assess security risks, implement controls, and mitigate arrangements to manage potential security threats and impacts from the supply chain. Quality, safety and customer satisfaction also benefit from this management system.

The requirements for ISO 28000 include all critical aspects for supply chain security assurance. Some examples include: financing, manufacturing, information management, and the facilities for packing, storing and transferring goods between vehicles and locations. Security management is
linked to many other aspects of business management. These should be considered directly, when and where they impact security management, including transporting goods through the supply chain.

ISO 28000 Benefits
•    Stakeholder confidence - to demonstrate a robust and secure supply chain management system to regulators/authorities, their customers/potential customers and other interested organisations.
•    Consistency - to provide a consistent approach by all service providers within a supply chain.
•    Customer satisfaction - to demonstrate the ability to meet customer requirements
•    Risk management - Can help all sectors of industry assess security risks and implement controls and mitigating arrangements to manage potential security threats and impacts from the supply chain
•    Easily integrated - it uses a plan-do-check-act based management system that has been modelled on the well proven ISO 14001 standard. This means that organisations already familiar with the same risk based approach used by ISO 14001 will be able to use a similar approach when analysing supply chain security risks and threats.
•    Supplier of choice - Can demonstrate to customs authorities the organisation's capability to manage security issues within the supply chain.
•    Enhanced security risk assessment, asset protection and inventory visibility and management
•    Assured supply continuity for sustainable business development and reduction of delivery times
•    Improved customer satisfaction and business cooperation along the supply chain
•    Reduction of losses resulted from transport related theft
•    Shorter customs clearance time and reduced secondary inspections
ISO 28000 certification from Oxford Cert Universal enables you to:
•    Demonstrate you pioneering role in transportation security
•    Pool existing security standards relating to transportation into one unified management system
•    Avoid the expense associated with multiple certifications
•    Optimize your processes to guarantee that the supply chain remains free of disruptions
•    Present yourself as a professional partner to customers, authorities, and investors
ISO 28000: 2007 certification from Oxford Cert Universal enables you to do even more. Our auditors also take a detailed look at your finances and information management system, together with all packaging, storage, and transportation processes, which means that the certification process will lead to significant gains in efficiency in your company. You can save a considerable amount of effort at this stage if you have already implemented a quality management system in line with ISO 9001.
Benefit from additional synergies by incorporating your security management system within an integrated management system strategy. Go beyond simply combining your IT security system with a quality management system; why not also integrate it with environmental protection certification or occupational health and safety standards?

Oxford Cert Universal Services
•    Certification - we can provide assessment and certification to ISO 20000.
•    Internal AuditAssessments - Oxford Cert Universaloffer gap analysis, preliminary assessments to prepare you for certification.
•    Training -Oxford Cert Universaloffer training which will prepare you and your staff before and after the certification process.
Training courses include:
•    Appreciation and Interpretation of ISO 28000
•    Implementation of an ISO 28000 Security Management System
•    ISO 28000 Internal Auditor Training

About ISO/IEC 20000-1 & its Benefits

This standard states the requirements for an IT service management system. This system can be used by an IT service provider(internal and external) to ensure an approved level of service is delivered to their customers(internal and external), also this is intended for organizations who provide managed IT services such as infrastructure and/or applications support; this can be both for external delivery e.g. to clients who have outsourced their IT support, as well as for internal IT groups.
An ISO 20000 certificate proves that your IT service management system has been certified against a best practice standard and found compliant. Issued by a third party certification body/registrar, the certificate proves that you have established and effective to deliver quality IT services that meet customer requirements and service levels.
The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization’s IT service management system.
ISO 20000-1 is established by the International Organization for Standardization (ISO) and is the standard used for certification. It has replaced BS 15000 and provides an internationally accepted IT service management system standard. Heavily based on the content of BS 15000, the material was reorganized to align and harmonize with other international standards
The standard also draws on and is well supported by other public documents including the sister standard ISO/IEC 20000-2 the ‘IT Service Management Code of Practice’ and the widely accepted guidance in the IT Infrastructure Library (ITIL®) drawn from the public and private sectors.
It takes a comprehensive approach to IT service management and defines a set of processes needed to deliver effective service. These range from core processes related to configuration management and change management to processes covering incident and problem management as well as those interacting directly with customers such as business relationship management.
ISO 20000 is aligned with other modern management systems standards and this supports consistent and straightforward implementation and operation where integrated systems are needed. The result is:
•    Harmonization with management system standards like ISO 9001 and ISO 27001.
•    Emphasis on continual process improvement of your IT service management system.
•    Clarification of minimum requirements for plans, documentation and records.
•    Effective use of the using a Plan, Do, Check, Act (PDCA) process model.

This globally recognized Information Technology Service Management Standard has been designed to shape consistency into the management of IT services and infrastructure, either internal or outsourced, benefiting employees and clients. The ultimate goal being effective overall IT service management, the standard is based on key processes ranging from service level management reporting, budgeting and accounting for IT services, to information security, supplier, incident, change and release management.
IT service organizations and IT departments in organizations with complex IT structures rely on ISO 20000-1 to demonstrate their service quality. It provides evidence of cost-efficient and reliable IT service management (ITSM) to internal as well as external customers. The standard is based on the IT Infrastructure Library’s (ITIL) Best Practice approach. While ISO 20000-1 specifies the requirements for IT service management, ITIL uses Best Practices to describe a systematic, professional approach to the management of IT services.

Aligning processes to ITIL helps IT service organizations identify and systematically improve the quality of IT services being offered. On this basis, Service Level Agreements (SLAs) can be agreed upon with customers. They contain measurable quality indicators and quality objectives.
Most businesses rely on information technology as one of their core business services. Many key operational processes rely on IT and changes within these processes require changes to the IT systems - affecting hardware, software, communications and support. This is the realm of IT service management and the scope of ISO/IEC 20000-1.
ISO/IEC 20000-1 is applicable to all sizes of organisation providing IT service management activities who wish to benchmark their existing IT service management. ISO/IEC 20000-1 is a British standard developed by the IT Service Management Forum (itSMF) that is gaining worldwide acceptance.

ISO 20000 Certification Benefits
ISO 20000 certification helps companies improve and streamline IT processes, boost effectiveness, and ensures a controlled, consistent high-quality delivery of services internally, and externally for extended networks and end-customers. This demonstrates a company’s commitment to upholding a reliable IT service and infrastructure, enhancing employee satisfaction and performance while boosting corporate image.
Some benefits are including:
•    Competitive advantages, because customers can be offered measurable and controllable service quality on the basis of SLAs
•    From this, Operational Level Agreements (OLA) can be defined. They provide the basis for the reliable and cost-efficient delivery of IT services.
•    Business Challenge
•    Companies in today’s global economy, no matter their size or industry, depend more and more on technology to promote and deliver their products to the market. This is complicated further by the fastpaced changes in technology. Whether you are an IT outsourcing firm, or a company depending on IT for its back-end and front-end processes, continuously improving the quality of your IT Service Management System with ISO 20000 certification from a trustworthy, independent certification body is essential. And with more and more companies requiring ISO 20000 certification as a prerequisite to signing deals, it is fast becoming obligatory.

Other key benefits include:
•    Cost reduction through increased productivity - ISO/IEC 20000-1 is management system based. The basis of the standard is the Plan-Do-Check Act cycle common with other management system standards. Which enables you to operate an integrated system and reduce duplication and costs.
•    Leveraging a proven set of best practices
•    ISO 20000 is recognized worldwide by the IT industry
•    Better alignment between business objectives and IT,reducing risks and improving communication between business areas and IT
•    Stakeholder confidence
Oxford Cert Universal Services
•    Certification - we can provide assessment and certification to ISO 20000.
•    Internal AuditAssessments - Oxford Cert Universaloffer gap analysis, preliminary assessments to prepare you for certification.
•    Training -Oxford Cert Universaloffer training which will prepare you and your staff before and after the certification process.

ISO/IEC 27001 Certification Benefits & Oxford Cert Universal Services

Some benefits are including:
- Compliance with legal, statutory, regulatory and contractual requirements.
- Improved corporate governance and assurance to stakeholders such as shareholders, clients, consumers and suppliers.
- Through a proper risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is
estimated, so your investment is allocated where it is necessary.
Implementing an effective information security management system will help identify and reduce information security risks, as it helps you focus your security efforts and protect your information.
Certification of your IT management from Oxford Cert Universal enables you to:
•    Meet internationally recognized requirements
•    Optimize your costs through transparent structures
•    Make security an integral part of your business processes
•    Better monitor IT risks through systematic risk management
•    Create transparency and trust in your dealings with customers and partners
Certifying your ISMS against ISO/IEC 27001 can bring the following benefits to your organization:
•    Demonstrates the independent assurance of your internal controls and meets corporate governance and business continuity requirements
•    Independently demonstrates that applicable laws and regulations are o erved
•    Provides a competitive edge by meeting contractual requirements and demonstrating to your customers that the security of their information is paramount
•    Independently verifies that your organizational risks are properly identified, assessed and managed, while formalizing information security processes, procedures and documentation
•    Proves your senior management’s commitment to the security of its information
•    The regular assessment process helps you to continually monitor your performance and improve
The main drivers for organizations to implement an information security management system and seek certification are:
•    Demonstration of responsibility towards protection of customer and own information
•    An effective framework for compliance with requirements, including data protection regulations
•    Contractual obligations or expectations in a business-to-business relationship
•    Potential cost saving due to improved operational control and loss management
•    A competitive market advantage through enhanced image and increased stakeholder confidence
Certification of your information security management system by Oxford Cert Universal provides assurance to the market and top management of your effective management of information, risks and legal compliance.
Oxford Cert Universal experience of information security management and certification of management systems is extensive.
With our Risk Based Certification approach, Oxford Cert Universal auditors focus on how well your information security management system supports the areas of greatest risk and interest to you, in addition to measuring compliance against elected standards. Our auditors know the business you are in and will apply their experience in ways that will improve and add value.
Information security management system certification may be combined with certification to other management system standards, e.g. ISO 9001, ISO 14001 and OHSAS 18001.
Commitment to information security certification to ISO/IEC 27001 is a powerful demonstration of an organisation's commitment in managing information security and you will gain a competitive advantage as more companies require certification to ISO/IEC 27001 as a prerequisite for doing business. You will be able to make a public statement of capability without revealing your security processes, and you can minimise business risk by ensuring controls are in place to reduce the risk of security threats and to avoid system weaknesses being exploited.
ISO/IEC 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls.
This helps you to protect your information assets and give confidence to any interested parties, especially your customers. The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving your ISMS.
ISO 27001 certification shows your clients and partners the level of security that you have in place and the quality of your IT-based business processes. You establish a security process to systematically optimize your organization’s security measures to a level that you have defined in advance.
Benefit from additional synergies by incorporating your IT security management system within an integrated management system strategy. For instance, combine your IT security system with a quality management system, environmental protection certification, or industry-specific standards.

Oxford Cert Universal Services
•    Certification - we can provide assessment and certification to ISO/IEC 27001.
•    Internal AuditAssessments - Oxford Cert Universaloffer gap analysis, preliminary assessments to prepare you for certification.
•    Training -Oxford Cert Universaloffer training which will prepare you and your staff before and after the certification process.
We have assessors who are management systems experts and qualified in information security and IT. They have the experience and knowledge to give a thorough and objective audit of your information security management system to give you increased confidence in your own security measures as judged against best industry practice.
Certification services are subject to:
•    The extent to which the organizational structure is reflected in the IT network
•    The extent of network structures: internal/external networks
•    Multi-site networks
During certification, our auditors inspect the following areas:
•    Security policy
•    Organization of information security
•    Management of company assets
•    Employee security
•    Physical and environment-related security
•    Management of communications and operations
•    Access controls
•    System procurement, development, and maintenance
•    Management of security incidents
•    Compliance with legal and organizational requirements

IT & Security management & ISO/IEC 27001

Security is important. And it does not have to be difficult. Our experienced experts support you along the route to an individually tailored and systematic security strategy. This will help you prevent risks effectively and avert potential hazards.

About ISO/IEC 27001
ISO/IEC 27001 aims to ensure that adequate controls addressing confidentiality, integrity and availability of information are in place to safeguard the information of interested parties. These include customers, employees, trading partners and the needs of society in general.
The use of computer networks is being taken more and more for granted, both in public and private life. At the same time, the risks to data security and data protection are increasing, both internally and when communicating in public networks.
Information is a vital asset of any organization and confidential customer information entrusted to it brings special obligations. Unauthorized access to important information and knowledge capital, or its loss, can have significant negative impact on an organization, including interruption of business continuity, loss of strategic advantage, vulnerability to fraud, and damage to reputation.
ISO 27001 is an international standard giving requirements related to Information Security Management System in order to enable an organization to assess its risk and implement appropriate controls to preserve confidentiality, integrity and availability of information assets.
The fundamental aim is to protect the information of your organization getting into the wrong hands or losing it forever.
Dependence on information systems and services means organizations are more vulnerable to security threats. Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. By proper identification and classification
of those assets and a systematic risk assessment of threats and vulnerabilities your company can select appropriate controls to manage those risks and demonstrate that it is preserving confidentiality, integrity and availability of those information assets to clients, consumers, shareholders, authorities and society at large.
A certified information security management system demonstrates commitment to the protection of information and provides confidence that assets are suitably protected – whether held on paper, electronically, or as employee knowledge.
Expectations towards organizations protecting important information are ever present but often the means of assurance is not apparent. Significant incidents involving losses and fraud continue to make the headlines and cause concerns for customers and consumers in general. Consequently, customers, boards and other stakeholders, including the public, are increasingly demanding evidence of robust and effective information security and business continuity measures.
Information security management systems take a systematic approach to minimizing the risk of unauthorized access or loss of information and ensuring the effective management of protective measures put in place. They provide a framework for organizations to manage their compliance with legal and other requirements, and improve performance in managing information securely.
ISO 27001 is the most common and globally recognized standard for information security management systems and is applicable to any organization in any business sector.
The standard provides a comprehensive approach to security of information needing protection, ranging from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees. Subjects to address include competence development of staff, technical protection against computer fraud, information security metrics and incident management as well as requirements common to all management system standards such as internal audit, management review and continuous improvement.
In this management system, attention is paid to the following criteria:
•    Security policy
•    Inter-company security
•    Classification and monitoring of facilities and inventory
•    Personnel security
•    Physical and ambient security
•    Communications and operational management
•    Access control
•    System development and maintenance
•    Planning for business continuity
•    Adherence to internal and statutory requirements
ISO/IEC 27001 aims to ensure that adequate controls addressing confidentiality, integrity and availability of information are in place to safeguard the information of interested parties. These include customers, employees, trading partners and the needs of society in general.
Unprotected systems are vulnerable to all kinds of threats, such as computer-assisted fraud, sabotage and viruses. These threats can be internal or external, and both accidental or malicious. Breaches in information security can allow vital information to be accessed, stolen, corrupted or lost. How confident are you that your company has the appropriate controls and procedures in place to avoid such incidents?
An information security management system compliant to ISO/IEC 27001 can help you demonstrate to trading partners and customers alike that you take information security seriously.
Any company, who manages information and has to demonstrate how securely this information is handled, managed and distributed.
Information is critical to the operation and perhaps even the survival of your organization. Being certified to ISO/IEC 27001 will help you to manage and protect your valuable information assets.
ISO/IEC 27001 is suitable for any organization, large or small, in any sector or part of the world. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.
ISO/IEC 27001 is also highly effective for organizations which manage information on behalf of others, such as IT outsourcing companies: it can be used to assure customers that their information is being protected.
IT security is a subject that affects all companies and organizations. Your IT system has an effect on all business processes. Which means it should also be managed as a whole. Make IT security your priority. Identify IT risks and counter them effectively through certification.