Logotyp

Management system for Information Security

What is information security?

Information security is about managing and protecting information based on requirements for:

Information security is also an important part of protecting personal privacy. Protecting information about individuals is a prerequisite for meeting data protection requirements.

Disruptions to access to information can affect an organisation’s ability to function. A systematic approach to information security enables the organisation to continue operating even if something unexpected happens, such as an outage, a disruption, or information ending up in the wrong hands.

Certification according to ISO/IEC 27001

An organisation can build an information security management system according to the international standard ISO/IEC 27001 and then have it certified.

Certification is particularly relevant for organisations that handle large amounts of sensitive or valuable information, for example within:

A certification shows customers, partners, and authorities that the organisation works systematically with information security.

Certification according to ISO/IEC 27701 – for organisations that handle personal data

Personal data management and information security are closely linked. Protecting the confidentiality, integrity, and availability of personal data is a prerequisite for effective data protection work, which makes ISO/IEC 27001 a natural starting point for data protection issues as well.

ISO/IEC 27701 is a standard specifically designed for personal data management systems. It was previously an extension to ISO/IEC 27001, but is now a standalone standard. This means an organisation can certify its management system directly against ISO/IEC 27701, without also being certified according to ISO/IEC 27001.

Swedac accredits certification bodies for both ISO/IEC 27001 and ISO/IEC 27701.

Information for those who want to certify their management system

A certification is carried out by a certification company. Accredited certification companies are also called certification bodies and are listed in Swedac’s accreditation register.

Certification bodies design their certification process according to the requirements of SS-EN ISO/IEC 17021. Among other things, there are requirements for:

the initial certification assessment to be carried out in two stages on-site follow-up to be carried out at least once a year a more thorough evaluation of the system’s effectiveness and need for changes to be carried out after a maximum of three years, as a basis for the next three-year period.

Information for those who want to become accredited

Impartiality, competence, the organisation’s own management system, and the certification process are the focus of Swedac’s assessment for accreditation of certification bodies for management systems. Swedac also examines the practical work on site, for example by observing audits.

Accreditation is assessed against Swedac’s applicable regulations (STAFS), the requirement standard for certification bodies certifying management systems, ISO/IEC 17021-1, and the standard SS-EN ISO/IEC 27006. These standards can be purchased from SIS, the Swedish Standards Institute.

Guidance documents are also available from the international organisations IAF and EA.