The property sector information security landscape
For organisations operating in the property, proptech and surveying sector, complying with professional governance requirements like the Royal Institute of Chartered Surveyors (RICS) Code of Conduct and privacy legislation such as GDPR can be crucial to success.
Failing to prevent or appropriately respond to security incidents like data breaches can cause severe reputational damage. On the other hand, building an information security management system (ISMS) and achieving certifications like ISO 27001 can be a key differentiator between your business and your closest competitor in a tender.
What is ISO 27001?
ISO 27001 is a globally-recognised standard and best practice for information security. The standard is a framework enabling your organisation to establish, implement, operate, monitor, review, maintain and continually improve an ISMS.
An ISMS, when aligned with ISO 27001 standards, systematically ensures the confidentiality, integrity and availability of data and information assets. Successful ISO 27001 certification proves to your current and potential customers that your organisation is efficiently managing the security and confidentiality of information you hold.
As well as the reputational benefits ISO 27001 brings for property organisations, certification also ensures that your business is more resilient to cyber attacks, reduces the risk of costly data breaches – and reduces the potential cost and damage if a breach is successful. It also helps you comply with other industry-wide pieces of legislation, such as GDPR.
How does ISO 27001 certification help the property sector comply with the RICS Rules of Conduct?
In line with the latest RICS Rules of Conduct released in 2021, ISO 27001 can help property organisations comply with several requirements.
1.9 Members and firms protect confidential information and only use or disclose it for the purposes for which it was provided, where they have the necessary consent to do so or where required or permitted by law.
3.5 Members and firms undertake their work in a timely manner; with due care, skill and diligence, and in accordance with RICS technical standards.
3.12 Members and firms check that all data used is accurate and up to date, is kept securely, and that they have proper legal rights to use it and, where required, share it.
ISO 27001 certification helps address all of the above requirements. Data protection is a key topic and to do this successfully, businesses need to know:
- The data they have
- The risks that exist
- What they can do to mitigate that risk
- How to help their staff and clients with the right processes.
All of these points are clearly addressed within the ISO 27001 framework.
Is ISO 27001 right for your property organisation?
Is your organisation completing important information security tasks using Word, Excel and document storage files that aren’t linked up or automatically aligned?
Are your policies and procedures at risk of going out of date or not reviewed by relevant (or all) staff?
Are you struggling to log your information assets and the risks associated with them, or unable to easily collect evidence?
Building an ISMS that aligns with ISO 27001 could be the solution.
What does the ISO 27001 certification process look like?
At Hicomply, we break down the ISO 27001 certification process into six steps, as outlined below.
Step 1: Scope your ISMS
Define the scope of your ISMS to ensure that your ISMS suits your organisation.
Your ISMS scope should account for:
- Company size
- Legal and regulatory requirements
- Any external and internal issues.
Step 2: Create your asset register
The purpose of your asset register is to record and manage your assets.
Assets include elements such as your organisation’s hardware, software, information and infrastructure.
Step 3: Carry out risk assessments and treat identified risks
Risk assessment and treatment ensures that you understand how risks could impact your organisation and have a plan in place to mitigate these risks.
Step 4: Apply policies and procedures
Next, document your policies and the processes that protect your data. The number of policies required for ISO 27001 certification varies depending on the size of your business, your industry and the regulations or laws you must comply with.
Step 5: Generate your statement of applicability (SoA)
To create your SoA, you should include each clause, control ID, evidence of your decision to include or exclude each control in the scope of your ISMS, the process owner, and any further information such as risks mitigated.
Step 6: Carry out your internal audit
The internal audit is key to ensuring your business’s ISMS meets the requirements for the ISO 27001 standard, and will put you in the best position for success when it comes to bringing in an external auditor. Discover how prepared your organisation is with our ISO 27001 internal audit checklist.
Once you’ve completed your internal audit and addressed any issues raised, you’re ready to ace your external audit and achieve certification.
Learn more about the six steps to ISO 27001 certification.
How long does it take to get ISO 27001 certified?
The traditional route to ISO 27001 certification, involving hundreds of spreadsheets and documents for evidence, often takes businesses up to a year to prepare for an external audit and certification. Businesses using Hicomply can be audit-ready in two to three months using our ISMS scoping tool, automated asset register, task management tool, policy and procedure library and third-party integrations.
Team Hicomply has helped hundreds of companies on the journey to ISO 27001 compliance, and we work with many organisations in the property sector.