Information Security

Information Security, known as InfoSec, is the protection of information through the identification and mitigation of risks as they pertain to information assets. The fundamentals of any Information Security initiative is to ensure adequate protections of the information in terms of its Confidentiality, Integrity and or Availability, known as the CIA triad. 

Today, every organisation, from the individual person to the organisation with thousands of employees across multiple locations, has a need to apply the appropriate level of information security within their business to protect their information assets. We can help you determine what is the appropriate level for your business.

Information Security Management Systems

Security Standards

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.


ISO 19600:2014 provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization.

The guidelines on compliance management systems are applicable to all types of organizations. The extent of the application of these guidelines depends on the size, structure, nature and complexity of the organization. ISO 19600:2014 is based on the principles of good governance, proportionality, transparency and sustainability.


Important News:

Following the systematic review of ISO 19600 Compliance management systems – Guidelines, TC309 requested a task group to examine the options for a revision and in September 2018, it was agreed to revise ISO 19600 as a requirements standard (with a new number, ISO 37301). The work has been assigned to ISO/TC 309 Working Group 4 (WG4) and the standard is scheduled for completion by the end of 2020.

The consultation draft and ballot (DIS) for ISO 37301 closed on 5th June 2020, and the draft was APPROVED. The comments made on the DIS were discussed by WG4 at its meeting September and the standard will submitted for final ballot, with a view to being published in Q1 2021.

Please note that the guidelines in ISO 19600:2014 will current until publication of ISO 37301.

ISO 37001:2016 specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The system can be stand-alone or can be integrated into an overall management system. ISO 37001:2016 addresses the following in relation to the organization’s activities:

· bribery in the public, private and not-for-profit sectors;

· bribery by the organization;

· bribery by the organization’s personnel acting on the organization’s behalf or for its benefit;

· bribery by the organization’s business associates acting on the organization’s behalf or for its benefit;

· bribery of the organization;

· bribery of the organization’s personnel in relation to the organization’s activities;

· bribery of the organization’s business associates in relation to the organization’s activities;

· direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party).

ISO 37001:2016 is applicable only to bribery. It sets out requirements and provides guidance for a management system designed to help an organization to prevent, detect and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities.

ISO 37001:2016 does not specifically address fraud, cartels and other anti-trust/competition offences, money-laundering or other activities related to corrupt practices, although an organization can choose to extend the scope of the management system to include such activities.

The requirements of ISO 37001:2016 are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of type, size and nature of activity, and whether in the public, private or not-for-profit sectors. The extent of application of these requirements depends on the factors specified in 4.1, 4.2 and 4.5.


This document provides guidance for organizations to create a whistleblowing management system based on principles of trust, impartiality and protection. It is adaptable, and its use will vary with the size, nature, complexity and jurisdiction of the organization’s activities. It may assist an organization to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.


ISO 28001:2007 provides requirements and guidance for organizations in international supply chains to

 – develop and implement supply chain security processes;

 – establish and document a minimum level of security within a supply chain(s) or segment of a supply chain;

 – assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes.

In addition, ISO 28001:2007 establishes certain documentation requirements that would permit verification.

Users of ISO 28001:2007 will

 – define the portion of an international supply chain within which they have established security;

 – conduct security assessments on that portion of the supply chain and develop adequate countermeasures;

 – develop and implement a supply chain security plan;

 – train security personnel in their security related duties.


This document specifies requirements to be met by a management system for records (MSR) in order to support an organization in the achievement of its mandate, mission, strategy and goals. It addresses the development and implementation of a records policy and objectives and gives information on measuring and monitoring performance.

An MSR can be established by an organization or across organizations that share business activities. Throughout this document, the term “organization” is not limited to one organization but also includes other organizational structures.

This document is applicable to any organization that wishes to:

— establish, implement, maintain and improve an MSR to support its business;

— ensure itself of conformity with its stated records policy;

— demonstrate conformity with this document by

1 – undertaking a self-assessment and self-declaration, or

2 – seeking confirmation of its self-declaration by a party external to the organization, or

3 – seeking certification of its MSR by an external party.


ISO 44001:2017 specifies requirements for the effective identification, development and management of collaborative business relationships within or between organizations.

ISO 44001:2017 is applicable to private and public organizations of all sizes, from large multinational corporations and government organizations, to non-profit organizations and micro/small businesses.

Application of ISO 44001:2017 can be on several different levels, e.g.

· a single application (including operating unit, operating division, single project or programme, mergers and acquisitions);

· an individual relationship (including one-to-one relationships, alliance, partnership, business customers, joint venture);

· multiple identified relationships (including multiple partner alliances, consortia, joint ventures, networks, extended enterprise arrangements and end-to-end supply chains);

· full application organization-wide for all identified relationship types.


Don't hesitate to contact us to discuss your requirements. We can chat via phone, video call or email as per your preference! 

Contact Us now and a member of the team will be happy to speak with you!