ISO 27001 Consultancy
What is ISO 27001?
ISO 27001 is the gold standard for managing information security. It requires your organisation to establish and practice good documented cyber security. This can then be audited by a third-party certification body
ISO 27001 is ‘risk based’ meaning that you must understand your threats and know where you are vulnerable and to put in place controls to minimise the chance of a damaging security incident.
Why DLP Assured for ISO 27001?
Our ISO 27001 experienced consultants can help you establish the correct practices required for creating and operating your ISO 27001 compatible information security programme.
The DLP ISO 27001 Fast-Track service uses our tried and tested unique 27001 dashboard combined with expert consultancy and our ‘DLP Data Protection Framework’ to streamline and speed your project.
What do we need to do to get ISO 27001?
Getting ISO 27001 is a very straight forward process but (as to be expected) increases in difficulty as organisations increase in size and complexity.
That said, the process for all organisations to get ISO 27001 requires the following key steps:
- Develop an understanding of your organisation and its information assets
- Assess your risks
- Determine and yourimplement your controls to minimise risks
- Create your ISMS including writing policies, procedures and standards
- Operate your ISMS
- Perform Internal audits
- Learn from and remediate non-conformities
- Have an external audit performed by a certification body
- Continue operating the ISMS and audit your processes occasionally to see if you are on-track. Correct any non-conformances.
You are always in control
Each DLP client project has a dedicated ISO 27001 expert to help and provide guidance. They will use our unique 27001 Project Management Dashboard to simplify, track and control your project from the start to finish.
Project stakeholders can access to the 27001 Project Management Dashboard at any time. They can view the project plan, see what tasks have been completed, what tasks are in progress, where the delays are and keep up-to-date as the project advances.
You are in expert hands
Our consultants have extensive knowledge and experience helping organisations implement and manage ISO 27001 projects.
All our ISO 27001 Lead Practitioners have either the ISO 27001 Lead Implementer or ISO 27001 Lead Auditor qualifications as well as other industry recognised certifications such ISC2 CISSP, ISACA CISM, IAPP CIPP/E
Get ahead and transform your ISO 27001 project
Digital transformation is the current rage. And for good reason. Boosting efficiency and delivering more effective outcomes is vital for any organisation and is the pathway to success.
Our ISO 27001 SaaS system uniquely combines the principal processes (across an organisation) to implement and maintain ISO 27001 compliance.
By combining GRC functionality with active cyber security and privacy processes, we can transform your digital transformation initiative to include information security and privacy, which of course includes ISO 27001.
ISO 27001 consultancy FAQ
ISO 27001 is an international standard designed to help organisations improve their information security through the creation and operation of an information security management system (ISMS), that is developed and tailored to their own particular set of circumstances. ISO 27001 provides a framework to establish an effective information security programme that is based on a consistent risk management process that utilises controls that are incorporated within the ISMS.
ISO 27001 is the second standard in the ISO 27000 family of standards that comprises over 30 documents. When organisations are audited by an external assessor for ISO 27001 certification, they are required to meet the requirements described within ISO 27001. The standard is also referred to as ISO/IEC 27001, which indicates it is a standard that was published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC standards do change over time whenever new versions are published. The current version is ISO/IEC 27001:2017
An ISMS is an abbreviation for Information Security Management System. An ISMS, as the name suggests, is a system for managing the information assets of an organisation in a secure manner. This means that the system takes into account the information security risks to which the assets are exposed (i.e. takes account of the confidentiality, integrity and availability risks) and has the means to minimise the risks through the application of controls so that the risks are acceptable to the business.
An ISMS consists of policies, procedures, processes (and other elements) that are scoped and developed for a particular organisation, that together constitute the system. The ISMS contains the guidance, processes and operational methodology, which has been established by the management team, that if followed by staff and others, will have a good chance of protecting the information assets of the organisation from the anticipated risks.
The complete ISMS requires the establishment of several processes (relevant to the creation of the ISMS) such as risk assessment, risk treatment, asset management, document management, awareness training relevant to job roles, management review, incident management, supplier management and others.
ISMS’s have traditionally existed as a series of Excel and Word documents. But this medium has many limitations. Document control is difficult because it can be a challenge to ensure that staff are working from up-to-date documents. Significant time is wasted by staff operating the system and getting staff buy-in. A better and more efficient way is adopting a digital approach. See SMART ISMS’s – a better way for fostering compliance within your organisation
ISO 27001 is the standard to which businesses are required to comply with when looking to get a certification in ISO information security management. ISO 27001 describes all the information security management requirements in a series of seven clauses together with an Appendix that lists 114 popular controls that can be used to mitigate and reduce information security risks. Known as ‘Annex A’, each control objective is described together with the actual control. In Annex A, the controls are listed as ‘shall be defined’ or ‘shall be maintained’ etc where the pre-fix ‘shall’ is an expectation from the certification body that the control (if selected within the risk treatment process) is a MUST do requirement.
ISO 27002 is a guidance document that lists all the controls within ISO 27001 Annex A but also includes implementation guidance. The principle difference is that the prefix ‘should’ is utilised within ISO 27002 control descriptions instead of ‘shall’ which is used within ISO 27001. The reasoning is that the 114 controls listed within Annex A are popular measures to treat risks but they are not the only ones. This is evident in some sectors which have specific control requirements that are unique for a particular industry.
There are 7 distinct steps to gaining ISO 27001 certification:
Step 1 - develop an understanding of ISO 27001 requirements
Step 2 - gain an understanding of the processes that underpin and run the business
Step 3 - undertake risk assessments
Step 4 - develop and build an ISMS with an appropriate scope that meets the needs of its interested parties
Step 5 - operate the ISMS
Step 6 - pass the Stage 1 Audit
Step 7 - pass the Stage 2 Audit
The award of an ISO 27001 certificate lasts for 3 years before recertification is required. However, it should be noted that the certification body will carry out periodic surveillance audits to make sure that the ISMS continues to conform to the ISO 27001 standard. These surveillance audits are typically every 12 months.
Typically 6 months to a year depending upon the complexity and the size of the business. It's vital to have management support.
ISO 27001 Annex A contains 114 controls that are designed to mitigate information security risks. The controls are grouped together into 14 control sets or categories.
A Statement of Applicability (SOA) is a requirement of clause 6 of the ISO 27001 standard. The SOA document lists the selected controls chosen to mitigate risks as part of the risk treatment process. All controls from Annex A must be considered and their selection justified. Similarly, when a control (from Annex A) is not required, the justification for its exclusion must also be recorded.
ISO 27001 can help with GDPR compliance if an appropriately designed ISO 27001 Information Security Management System (ISMS) is utilised.
GDPR is a risk-based regulation that relies upon organisations having 'appropriate organisational and technical measures ' to protect personal information. Similarly, ISO 27001 is a risk-based standard for information security management. The following table is an extract from Article 32 of the GDPR and provides a mapping to the relevant aspects of an ISO 27001 Information Security Management System (ISMS).
It should be borne in mind that when the ISMS is planned, GDPR compliance would be included as a statutory requirement within Clause 4 'Understanding the context of the organisation'.
An appropriately developed ISO 27001 ISMS will help protect personal data by minimising confidentiality, integrity and availability risks. The ISO 27001 ISMS will not help with privacy risks such as failing to respond to subject access requests within a month etc.
GDPR Article 32 | ISO27001 ISMS elements |
---|---|
32-1a the pseudonymisation and encryption of personal data; |
Control set A.10 Cryptography |
32-1b the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; |
Clause 6 - including risk assessment and risk treatment |
32-1c the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; |
Control set A.17 - Information security aspects of business continuity management |
32-1d a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. |
Clause 9 - Performance evaluation: 9.1 Monitoring, measurement analysis and evaluation, together with 9.2 Internal audit |
When organisations are audited by an external assessor for ISO 270001 certification, they are required to meet requirements 4 through to 10 of the ISO 27001 standard. These requirements are summarized here at a very high level:
Do bear in mind you are creating a system that manages your information assets (i.e. the Information Security Management System, known as your ISMS. See 'What is an ISMS?' in this FAQ) The ISMS takes into account all the risks that you have identified.
The ISO 27001 requirements that will be checked (as part of certification) are as follows:
Requirement 4 - Context of the organisation. Here you consider and record all the factors that may influence the creation and operation of your ISMS. For instance, they must include any legal requirements, laws, regulations, industry frameworks that the organisation must comply with etc, etc.
Requirement 5 - Leadership - The management team must promote the adoption and ongoing commitment to ISO27001 compliance within the company. For instance, there must be evidence of the management teams participation in the creation and ongoing operation of the ISMS together with ensuring sufficient resources are provided. They must also ensure that suitable policies are created etc, etc
Requirement 6 - Planning - The organisation must have evidence of planning to identify potential information security risks and how these risks can be minimised to an acceptable level by using your defined risk treatment plan. The organisation must have evidence of setting security objectives and planning as to how these objectives can be met etc, etc.
Requirement 7 - Support - The organisation must operate a process to ensure that up-to-date and approved ISMS documents are available to staff. Suitable communications must also be made to relevant parties about the operation of the ISMS and their role, etc, etc
Requirement 8 - Operation- The organisation must undertake (and record the details of planned) risk assessments. Change management must be practised etc, etc
Requirement 9 - performance evaluation - Performance of the ISMS must be recorded and checked via suitable audits to identify nonconformance. The management team must review the performance of the ISMS to ensure it is meeting the planned objectives etc, etc
Requirement 10 - Improvement - When a non-conformance is identified, there must be evidence of a process to decide the best course of action to fix it and take steps to ensure it is not repeated. Similarly, there must be evidence of continual improvement of the ISMS etc, etc.
+44 (0)203 397 0142
DLP Assured Services Limited
Kemp House
152 - 160 City Road
London
England
EC1V 2NX