INFORMATION SECURITY MANAGEMENT SYSTEMS QUOTE REQUEST FORM Please provide the following information to enable us to confirm the costs of ISO 27001 registration. 1) Organisation details: Company name: Company number: Main site address: Postcode: Tel: Fax: Web site: Contact name: Job title: E-mail: Tel: Mobile: 2) How long has your management system been in place? 3) What activities are to be covered by your certification (scope)? Information security management for... 4) Are you? a. A new NQA client Yes No b. A transferring client Yes No If a transferring client, please provide details of previous registration(s): Note: Copies of current certificates of registration and previous audit reports will need to be supplied. c. Extending your scope? Yes No If yes, please provide details of the new scope: d. Have you previously been registered with NQA? Yes No 1
5) Are you aware of any standards, regulations or laws with which your company or industry must comply? If so list these below. Legal (e.g. Data Protection Act, Computer Misuse Act etc): Regulatory (e.g. PCI DSS, Information Governance Statement of Compliance (IG SoC)): 6) Functions and business activities: Site information - please give details of the employee numbers, addresses and activities of all sites requiring registration to ISO 27001. Total in Organisation: Total at Main Address: Other Locations: Address Headcount Activities (customer facing services, design, product management and internal functions such as HR, finance, IT, sales etc) Main address Location 1 Location 2 Location 3 Location 4 Location 5 Location 6 Location 7 Location 8 Address, headcount and activities MUST be completed for all locations 2
7) Outsourcing Do you have outsourced or subcontracted activities? Please provide details of outsourced or subcontracted activities: Yes No 8) ISO 9001 Certification: Do you currently hold an accredited certificate of registration for ISO 9001? If your registration is with a certification body other than NQA please give details. Standard: Scope of Registration: Yes No Certification Body: Certificate No: 9) Risk level & complexity: 9a: Risk level: Please identify the risk level (high, medium or low) for each of the three categories below (Legal and regulatory, business continuity and availability, information held/managed). Low Medium High Rating Legal & regulatory Incompliance is likely to Incompliance is likely to Incompliance is likely lead to insignificant financial result in significant financial result in prosecution penalty or goodwill damage penalty or goodwill damage Business Continuity & availability Impact restricted to Lack of availability or outage Information must be commercial /operational inconvenience has significant impact on essential services such as healthcare outages are likely to receive prioritised response from national/local government emergency planning arrangements available (e.g. critical national infrastructure) at all times Information held/managed Information of a general nature Sensitive and personally identifiable information. (Note: this includes employee information) High classification government information e.g. secret and above; government emergency broadcast Examples Office Use: Commercial organisations, general businesses that do not form a critical part of supply chains or partnering for medium and high risk organisations. Note: to have a low risk rating the organisation must not hold personally identifiable employee information. Final risk rating Hospitals, finance sector e.g. banks, local government, telecoms providers and others holding personally identifiable information /sensitive personally identifiable information. Government ministries, critical national infrastructure (e.g. broadcast). Comment: b: Complexity Rating Complexity Factor Category Category Simple ( S ) Complex ( C ) Rating Number of employees and contractor staff <1,000 >=1,000 S C Number of users <1 million >=1,000,000 S C Number of sites <5 >=5 S C Number of servers <100 >=100 S C Number of workstations + PC + laptops <300 >=300 S C Number of application developers and maintenance staff <100 >=100 S C 3
Office Use: Overall complexity rating: S C Comment: Office Use: Assessment durations Assessment On-site (days) Programme management (days) Total (days) Pre-assessment (optional) Stage 1 Stage 2 Surveillance Recertification Completed by/date: Approved by/date: 10) At what stage in the implementation of your ISMS are you? Please indicate your progress in relation to the following phases: Phase: Description: Completed: Planned completion date: Required for Stage 1 Stage 2 Step 1 Definition of Policy Statement Yes No Y Y Step 2 Defined the scope of your ISMS Yes No Y Y Step 3 Completed your Risk Assessment Yes No Y Y Step 4 Completed your Risk Treatment Plan document Yes No Y Y Step 5 Selected control objectives and controls to be implemented Yes No Y Y Step 6 Prepared a Statement of Applicability Yes No Y Y Step 7 Completed security awareness training Yes No Preferable Y Completed internal audit of the ISMS Yes No Preferable Y Completed management review of the ISMS Yes No Preferable Y Completed and test business continuity plans Yes No Preferable Y Operated the ISMS for at least 3 months Yes No Preferable Y (If YES to Step 7 b) how long has your ISMS been implemented? Office completion: Timescales Pre-assessment Target date: Stage 1 Stage 2: Target date: Target date: 4
11) Consultant use: Will you be using a Consultant to help you implement Information Security Management Systems? Yes No (If yes, please complete their details below). Consultant name: Address: E-mail: Tel: Fax: 12) Completed by: Date: Company: Name: 13) Where did you hear about NQA? By recommendation from consultant By recommendation from another company From an editorial From an advert Via NQA s web site www.nqa.com You are an existing NQA client From an exhibition Via a search engine: e.g. Google Other (please specify) Please provide further details below: If you have any problems completing this questionnaire please call 0800 0522424 or email sales@nqa.com Click here to send via email Or print and send to: NQA Sales, Warwick House, Houghton Hall Park, Houghton Regis, Dunstable, Bedfordshire LU5 5ZX, UK Data Protection Act 1998 This information is collected, processed and stored to adhere with the UK Data Protection Act 1998. Information will be held and used by NQA and may from time to time be used to send you marketing information relating to products or services we feel you may be interested in. Please confirm that you would be happy to receive this information: By Fax: E-mail: Telephone: Contact us NQA, Warwick House, Houghton Hall Park, Houghton Regis, Dunstable, Bedfordshire LU5 5ZX, UK T: 0800 0522424 E: sales@nqa.com www.nqa.com/isms QF/ISMS/03/NOV15 5