ISO 27001 for Hotels & Hotel Chains™ project is part of the DATA SECURITY for Hotels & Hotel Chains™ umbrella to provide consulting services for the development, implementation and eventually the successful on certifying the information security management system with ISO 27001: 2013 for individual hotels or groups.
The documentation of the internal organization and of the operational functioning of the unit or the group in accordance with the Standard ISO 27001:2013 in the form of an information security management system and its subsequent certification by a competent body contributes to protecting the integrity, confidentiality and availability of corporate information, as well as the employee productivity. In this way the organization of the business is completed, while at the same time the trust of the visitors in matters of information security is significantly enhanced.
The Fundamental Principles of Information Security – which the standard attempts to secure – are based on three key elements:
Confidentiality: Ensuring the accessibility of the information only by those who have the necessary rights.
Integrity: Securing the accuracy and completeness of the information and its processing methods.
Availability: Ensuring the accessibility of information to authorized users whenever required.
ISO 27001 Standard requires an enterprise to establish, implement, maintain and continuously improve an Information Security Management System (ISMS). As with any ISO standard, ISO 27001: 2013 follows the “Plan-Do-Check-Act” (PDCA Cycle) cycle of continuous improvement.
The benefits that an organization enjoys following the standard are numerous:
- Implementation of clear security policies for all members of an organization and third parties
- Analysis of threats, weaknesses and risks
- Implementation of the appropriate countermeasures
- Existence of mechanisms for the continuous development of the organization
- Effective incident management
- Compliance with legal and regulatory requirements
- Existence of effective KPIs (Key Performance Indicators)
- Development of trust relationships with customers and partners
- Improvement of company reputation.
In summary, the objectives of the project ISO 27001 for Hotels & Hotel Chains™ are:
- The design and development of the ISO 27001: 2013 system
- Supporting the preparation and implementation of the system
- The training and informing of the users involved
- Checking the system to confirm its effective, harmonious operation and to indicate any gaps
- The support of the Group during the inspection and certification by the auditing body.
An analysis of the actions an organization must undertake at each stage of the standard to comply according to this specific standard, follows. The Implementation Stages of the Project are the following:
A. Capture of the Needs and of the Existing Situation
- Recording the interested members (customers, suppliers, etc.) and analysing the requirements on information security matters
- Recording the infrastructures and procedures
- Recording an organization chart and information flow
- Recording of services provided related to the implementation of the system
- Recording data to be protected.
B. Risks Analysis and Reaction Recording
A Data Protection Impact Assessment is carried out to assess the risks and consequences of information leakage or loss of their availability. The weaknesses and the possible points of loss or leakage of information are recorded and a risk management plan is prepared indicating the actions to be taken to limit the risks. The finally accepted by the organization risks and the procedure of emergency incidents response are recorded, while recording the potential risks of the Vulnerability Assessment with automated tools and delivering a relevant report.
An additional Penetration Test (an attempt to exploit the weaknesses emerging from the Vulnerability Assessment) is recommended and can take place, which however is not required from the compliance according to ISO 27001.
C. Designing an Information Security Policy
The organization’s Security Policy is formulated to express the Company’s policy on Information Security. This includes all the individual Policies required by the Standard (Access Policy, Protected Area Policy, etc.).
Following, the required procedures that describe how the Information Security Policy, set out above, is implemented in practice, are drafted. The exact name and structure, as well as the number of the procedures to be written, cannot be precisely predetermined at this stage.
The writing of the Information Safety Manual and Information Security Procedures and Working Instructions is the most time-consuming phase of the project. Care must be taken to ensure that the procedures to be produced are realistic and practicable. Both the active participation of business executives and the experience of the consultant who will recognize the specifics of the company and adapt them to the requirements of ISO 27001: 2013, contribute to this.
D. System Implementation
- Distribution of the procedures to the competent persons per departmental and per task
- Supporting the company’s staff for the implementation of the procedures
- All-staff informative training seminar with a duration of 2-3 hours to understand the requirements of the standard and facilitate the implementation of the procedures within the planned Information Security Management system.
E. Control and Preparation for the Certification
- Internal inspection according to the applicable procedure, with the presence of the consultant
- Preparation of an internal audit report, analysis of deviations and description of necessary corrective actions to remove the deviations
- Support for the implementation of the necessary corrective actions
- Supporting the company for the call and other necessary consultations with the responsible certification body
- Supporting the business throughout the inspection until the certificate is received.