Post.Trust is delighted to announce it has successfully achieved IS0 27001 accreditation. Following a full Information Security audit conducted over the 5th, 6th and 7th of September, 2007 by Certification Europe, PCI has been re-certified to ISO 27001 (transitioned from BS 7799). The ISO 27001 standard has enhanced the content of BS7799 and harmonises it with other international standards such as ISO 9001:2000 (Quality) and ISO 20000.1(Service Management).

Post.Trust was first successfully audited against BS7799 for Information Security Management in 2003. Post.Trust subsequently undergoes surveillance audits twice a year against this standard and a full audit every three years for re-certification. The scope of the audit addresses all aspects of the company's operations that are involved in the management and delivery of its Internet Hosting, Post.Trust and Postbank operations.

The on-site audit process which was conducted over three days, involved two auditors from Certification Europe. The audit process is extremely thorough involving interviews with Post.Trust management and staff. Post.Trust has maintained certification standards based on the ‘Plan, do, check, act’ (PDCA) model which is fundamental in applying ISO 27001. This certification embodies significant controls relating to Operations, Product, Service and Supplier. In total, the company was evaluated against 11 separate security control categories with more than 100 sub-category controls. An overview of the controls is listed below:

1. Security Policy
   To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
2. Organizing Information Security
   To manage information security within the organization.
3. Asset Management
   To achieve and maintain appropriate protection of organizational assets.
4. Human Resources Security
   To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
5. Physical and Environmental Security
   To prevent unauthorized physical access, damage, and interference to the organization’s premises and information.
6. Communications and Operations Management
   To ensure the correct and secure operation of information processing facilities.
7. Access Control
   To control access to information.
8. Information Systems Acquisition, Development and Maintenance
   To ensure that security is an integral part of information systems.
9. Information Security Incident Management
   To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
10. Business Continuity Management
    To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
11. Compliance
    To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
    

This standard is recognised worldwide and is designed to measure an organisation’s ability to protect the information assets of itself and its customers against loss, damage or misuse. This could result from any one of a number of different events including malicious attack, unauthorised physical or electronic access, fraud, human or system error, or even environmental disaster such as fire, explosion or flooding.

Any organisation that holds information of a confidential or sensitive nature in either hard copy or electronic form must consider the controls required to ensure the security of that information. This arises due to obligations in risk management, legislative compliance, regulatory demands and good business practice. External organisations know that Post.Trust's procedures and documentation attest to this standard.