Secure payments: 10 steps to ISO 27001 information security management certification

ISO 27001 Information Security Management Systems is the international best practice standard for information security. The system promotes the efficient management and protection of a company’s valuable data and information assets helps to minimise exposure to risks like payment security breaches and hacking attempts, and provides customers and stakeholders with confidence in how businesses manage that risk.

In recent years many businesses have been left vulnerable to cyber assaults like ransomware and phishing attacks, placing an increased value on cyber security as a business priority for organisations worldwide. A growing number of companies from a variety of industries are seeking information security skills in response to the global growth in cyber-attacks. Unfortunately, the lack of equivalent growth in the skills required is worrying.

According to Michael Brown, CEO at Symantec,

‚ÄúThe demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million‚ÄĚ.

Worldpay recently asked 4000 shoppers across Europe to provide insight into their payment behaviours, both current and predictive, across all payment channels. The research revealed that 68% of respondents viewed secure payments to be the most important factor when considering a payment method.

Combine this with increased regulation in data security i.e. EU General Data Protection Regulation (GDPR) and the more stringent security requirements of the revised Payments Service Directive (PSD2), it is hardly surprising that more businesses are taking action by implementing the organisational and administrative changes necessary to protect personal data from security breaches.

Benefits of ISO 27001 Certification

Ensures compliance with legislative requirements

ISO 27001 provides a framework for the management of data security risk allowing businesses to take into account their legal & regulatory requirements.

Gives customers confidence in an organisation’s ability to manage security risk

Improved internal organisation and an easily accessible framework for security allow for a swift response to customer expectations on the security of their data. This also demonstrates the organisation’s commitment to security protection and reassures stakeholders that a best practice framework is in place.

It offers a competitive advantage

As ISO 27001 is universally recognised as the hallmark of information security management, prospective customers will be more inclined to choose a business that demonstrates ISO 27001 Certification. Compliance with the standard also helps to retain existing clients.

Improves security awareness across an organisation

It prioritises information security at the senior management level which facilitates the clear definition of Information Security Management System (ISMS) roles and responsibilities throughout the business. This commitment to security management across the organisation also helps to reduce any potential for staff-related security breaches.

Steps to achieving ISO 27001 Certification

Achieving ISO 27001 Certification takes time and organisation. Here are some tips on how your business can achieve a seamless ISO 27001 implementation and ensure secure payments:

1. Demonstrate the value of certification to management

Senior management must support the project from the outset. This means demonstrating how certification will benefit the organisation by outlining the steps mentioned above. Management’s input into the design and operation of an ISMS will determine the success of the project.

2. Understand the standard

Businesses must understand the standard and the criteria that need to be met. Why the standard is being implemented and who it will impact are primary considerations. It may be useful to enroll in an ISO 27001 training course to get a very good understanding of the requirements for successful implementation. At this stage, it is also advised to secure someone (internal or external) who has solid experience in implementing an information security system for the role of managing the implementation process.

3. Perform a gap analysis

Undertake a gap analysis of existing policies and procedures. Understanding the maturity of existing controls within the business is necessary and determining the risk profile. This should also include a plan of recommended actions as well as guidance for scoping the ISMS.

4. Define the scope and objectives

Does the scope of the ISMS extend to the entire organisation or is only one department or geographical location to be considered? This is essential so that the boundaries of the ISMS and security responsibilities can be identified. Project costs and timeframes also need to be considered.

5. Review and update documentation

ISO 27001 certification requires in-depth documentation addressing all relevant milestones and individual controls. The Standard requires that documentation should include the scope of the ISMS, information security policy, security risk treatment process, and Statement of Applicability amongst others. A comprehensive list of mandatory documentation required for ISO 27001 implementation can be found on

6. Staff awareness training

It is necessary to make all staff aware of information security by familiarising them with the updated documentation and what they can do to ensure compliance. This could involve abiding by a clean desk policy or locking computers whenever they are away from workstations. A brief and easy-to-understand ISO 27001 and security introduction session is recommended to ensure that staff is aware of how they can contribute to achieving certification.

7. Conduct an internal audit

ISO 27001 requires internal audits of the ISMS to ensure that the system is effective. An internal audit of all procedures should therefore precede stage 1 of the certification audit.

8. Stage 1 audit

During this stage of the process toward certification, the independent auditor will review documentation to assess whether or not it is in line with the requirements of ISO 27001. The auditor will point out any areas of nonconformity and potential improvements in the management system.

9. Stage 2 audit

During the second stage of the audit, often referred to as the Certification audit, the auditor will conduct a thorough assessment to establish if the business is complying with procedures and policies defined in the ISO 27001 standard. Upon a successful pass, the auditor will issue a certificate stating that the business has met the ISO 27001 requirements, and recommend the company for ISO 27001 certification.

10. Ongoing reviews

An initial review will be held by an external auditor within 6 months of certification and annually thereafter to see if the ISMS is continuing to comply with the standard. Internal audits are conducted at planned intervals to ensure that ISMS is effectively implemented and maintained.

As a market leader in the provision of payment solutions for business and personal customers, Fexco Corporate Payments achieved ISO 27001 Certification in 2016. If you would like to make more cost-effective and secure payments, sign up today for a free account and get bank-beating FX rates.

Alternatively, you can contact us on Ireland: 1800 246 800

Share this article