ISO 27001 Consulting Services Readiness, Implementation, Audit and Program Management

ISO 27001 - 2022
Brief Overview

• How fast can a company achieve ISO 27001 certification?

                       

  • ISO 27001 certification involves the presence of a management system and the successful implementation of the applicable annexure controls.
                                
  • Most organizations which are currently not certified have 20-30% of annexure controls already in place. How do we know this? This is based on our experience of the initial gap analysis.
                                
  • To achieve certification the organization needs to implement the pending applicable annexure controls and a system of governance.
                                
  • The speed is dependent on several factors including the choice of consultants, the organization's readiness to address the identified gaps, agreement on the policies and procedures, and a holistic approach that involves all functional heads involved in the journey.
                                
  • A small organization with 1 production network, 1 location, and less than 100 people would generally take 2-3 months to accomplish this.
                                
  • It is not necessary that a larger organization with more people will take more time, it is a function of determining the applicable control, identified gaps and how fast collectively everyone gets together to make those security decisions and the implementation.
                                
  • Do not forget to add the time that a certification body will take to perform stage 1 and stage 2 audits
                                
  • For a more precise discussion, reach out to us.
               
• What are the mandatory requirements in iso 27001?

                       

  • Unfortunately, this is not a straightforward forward answer as you might think :-)
                                
  • But here is a sincere attempt.
                                
  • Management system controls (Clause 4 to 10) are mandatory
                                
  • The number of annexure controls is based on risk assessment.
                                
  • See the diagram above for 4 sections of the annexure controls.
                                
  • In the Anexure controls, few sections are mandatory, because in every organization there will be organizational, and personnel controls. 
                                
  • For most organizations working remotely many of the physical security controls may not apply.
                                
  • The technical controls require assessment based on whether you have your data center or you are in the cloud. Whether you have an in-house development team or a third party. Based on those assumptions controls can be added or removed.
                                
  • For instance, if you don't have in-house application development, all controls that are linked to development and its network requirement are not applicable.
                                
  • For a more precise discussion on the applicability of controls, reach out to us.
              
• What is information security?
                    

  Information is anything that has a business value. Security is the protection against loss of confidentiality, integrity and availability. Combined, in the context of any organization, information security is the protection of all information that business considers ‘valuable’.

              
• What is information security management system (ISMS)?

                       

  • ISMS is an organization framework that defined a set of rules, policies, and procedures that ensures protection of information.                              
                                
  • ISMS is a management program driven by a management representative such as Chief Information Security Officer (CISO).
               
• What is ISO 27001 certification?

                       

  • ISO 27001 is the certification that the organization achieves upon demonstrating that they have implemented the ISMS.
                                
  • ISO 27001 is a certificate issued by a certification body upon completing a 2- phase audit.
                                
  • An ISO 27001 certification is valid for three years subject to annual surveillance.
                                
  • ISO 27001 certificate provides assurance to your customers that you have implemented 'optimum-security' in all processes that handles sensitive data.
               
• What are the benefits of implementing ISMS?

                       

  • Implementing ISMS helps an organization to protect their information and digital assets, proactively.
                                
  • Additionally, it reduces the opportunity of being hacked as systems and processes are designed to ensure that the organization and its information assets are secure.
                                
  • Processes such as risk assessment ensure all changes in the organizations consider security as part of the implementation.
                                
  • Controls such as threat intelligence ensures you are proactive as new threats develop in the wild.
                                
  • An annual calendar of 'management system' activities ensures that ensures there is an overarching role that is guiding the organizations security related decisions.
               
• How much does it cost to implement ISO 27001 2022?

                       

  A number of factors play a role in determining the fee, such as:

                          

  • Scope of business, and information systems involved.
                                
  • Number of business locations.
                                
  • Number of networks including cloud service provider. 
                                
  • Presence of application development in scope.
                                
  • Identified gaps or risks.

                          

  Please contact us, we are fairly quick in submitting a commercial proposal.

              
• What are the key phases of implementing ISMS?

                       

  The phases of implementing include understanding the business, listing all information assets, conducting gap analysis, risk assessment and risk management, policy documentation, testing and measurement of controls, audit, and awareness of all stakeholders.

               
• What are the roles and responsibilities for an ISO 27001 Certification Consultant?

                       

  ISO 27001 certification consultant has the following skills:

                             

  • ISO 27001 certification consultants combined the role of a business analyst, risk assessment specialist, security architect, and security policy specialist - all combined in one role.
                                
  • Main responsibilities include the ability to enable an organization to successfully iso 27001 certifications through a formal process of gap analysis, documentation, process measurements technical implementations, internal audit and measurement.
                                
  • Ability to explain the iso 27001 requirements to the organization that includes management, functional owners, and employees, and enable them to implement secure practices.
                                
  • Ability to perform security risk assessment and risk remediation.
                                
  • The ISO 27001 consultant should be aware of the latest changes in technology, security breaches, and risk management practices.
                                
  • Ability to draft and implement the company-specific policies, and procedures that drive security operations of the organization.
                                
  • Ability to articulate and communicate risk to the management that elicits risk mitigation decision.
                                
  • Manage an isms compliance program to support a dynamic business environment.
              
• How to make a ISO 27001 Certification Checklist?

                       

      ISO 27001 checklist creation is a challenging but interesting task that includes on one hand, understanding of iso 27001 requirements, and on the other an organization’s business, strategic information risks, and their information assets.

                             

  ISO 27001 has control requirement covering several domains that includes the following domains.

                             

  • Strategic
                                
  • Technical
                                
  • Physical
                                
  • Personnel 
                                
  • Suppliers 
                                
  • Process

                             

  Phase A – ISO 27001 requirement checklist

                             

  The journey starts with getting a copy of the iso 27001 controls, and using the same to create a meta template in which against each requirement one should prepare the iso 27001 questions using one or more of the followings:

                             

  • What to ask?
                                
  • What to check?
                                
  • Whom to ask?

                             

  Phase B – Business requirement checklist

                             

  In the organization context, each business is somewhat unique, so the next step is to gather enough information about the organizations, such as:

                             

  • Main Business
                                
  • Products and Services
                                
  • Information to be secured
                                
  • Information Systems in Use
                                
  • Number and location of Users
                                
  • Applications developed
                                
  • Network locations
                                
  • Office locations
                                
  • Supplier List and their services
                                
  • Individual roles and nominations

                             

  With this, one has created the organization context necessary to apply the questions from the phase A.                           

                             

  ISO 27001 checklist is incomplete with just the standard questions, there is always a need to prepare the question in the  context of the organization for which this is applied.

                             

  A complete iso 27001 checklist strategy therefore needs to have both the iso 27001 control checklist as well as organizational checklist.

               
• What does the ISO 27001 certification body lead auditor looking for in certifying an organization?                     

                       

      ISO 27001 certification audit is valid for three years subject to fulfilment of the standard requirements by the organization.                              ISO 27001 certificate is issued by the certification bodies.
  
                                In the first year they perform two stages of the audit, namely stage 1, and stage 2.
  
                                Stage 1 audit is the documentation audit, where they look for documentation alignment with the applicable requirements as per the organizations Statement of Applicability (SOA).
  
                                Stage 1 questions are centred around company policies and procedures and demonstrate an organizations’ ‘intent’.                              
  
                                Stage 2 assessment aims at verifying the ‘implementation and effectiveness’. This phase is much more comprehensive where the iso 27001 certification body auditor looks for evidence of implementations across all domains and controls that are applicable to the organization.
  
                                Stage 2 focuses on the technical side of the implementations that includes the followings:
  
                             

                             

  • Cloud security controls, 
                                
  • Network security controls, 
                                
  • Application development security lifecycle controls
                                
  • Human resource controls 
                                
  • Physical security controls 
                                
  • Supplier management controls
                                
  • Other ‘security management’ processes

                             

  Upon assured of the ‘intent, implementation and effectiveness’ the iso 27001 certificate is issued by the certification body to the organization.                           

               
• How to define a scope statement in ISO 27001 certification journey?

                       

  "The scope statement is an important statement for any organizations iso 27001 certification as it reflects the business and supporting functions that support the information security management system (ISMS). 

                               

  A scope statement generally has the following 4 parts:

                               

  Part 1: About the business, the sentence looks like:

                               

  information security management system (ISMS) applies to the delivery of [Software as a service (SAAS)] OR [business process outsourcing]. 

                               

  Part 2 – Industries that you serve, the sentence may look like:

                               

  The services cater to the healthcare industry.

                               

  Part 3 – Internal teams or functions:

                               

  ISMS is supported by internal teams such as Product Management, Application Development, Cloud Operations, DevOps, IT Operations, Human Resource, Legal, Procurement, physical security and business development.

                               

  Here you write functions as per the organization structure, all teams that participated.

                               

  Part 4 – Reference to Statement of Applicability (SOA)

                               

  This is as per Statement of Applicability (SOA) version 1.0

                               

   Note that the SOA is where all the applicable and not applicable controls are listed.

               
• What is the ISO 27001 Statement of Applicability (SOA)?

                       

  SOA is a document created by the organization to demonstrate its alignment with the standard list of annexure controls.

                             

  • it declares applicable controls and those that are not.                              
                                
  • It defines the justification for both applicable and not applicable controls.                              
                                
  • It is the basis on which a company gets certified. SOA is used by the ISO 27001 certification auditor to make their judgment on the scope of compliance.                              
                                
  • As a best practice, we advise clients to add more columns in the SOA such as documentation and risk owner, a term to associate a control with a team, responsible for enforcement of the control in the organization.                              
               
• How to fulfill the ISO 27001 cloud security requirements?

                       

  Cloud security is a shared responsibility. Each cloud service provider, be it SAAS, PAAS or IAAS, provides shared responsibility controls to its customers.

                             

  In our ISO 27001 Consulting Services, we assist clients in determining the applicable shared controls and assist them through the process of gap analysis, and implementation support.