We provide ISO 27001 consulting and implementation support. This includes a phase wise approach that involves understanding business context to information security, information asset identification, information valuation, security valuation, technical and procedural risk assessment, gap analysis against ISO 27001 114 controls, detail recommendations, policy/documentation support, training, coaching employees/teams, coaching security managers, security performance setting, gap implementation monitoring, audit and management review leading to successful zero defect ISO 27001 - 2013 certification.
Our ISO 27001 consulting methodology ensures several benefits. This includes identification of all vulnerabilities in the Infrastructure be it related to technology, skill, vendor or locations. Top Management can clearly see the overall risk reduction in the organization and the way it is embedded in each business life cycle.
A step-by-step method of identifying information that is key to business success. ISMS also include a comprehensive approach in assessing risks on one hand, and identifying opportunities for improvement. Such opportunities take the shape of designing, documenting, implementing, measuring , auditing and continuously improving information security posture. Improvement can take place both due to proactive process such as risk assessment, and reactive such as Incidents. In simple words, a proactive approach to preventing and reacting to information related incidents.
The ability to be aware of what is our present weakness and our ability to know how we will react– is in essence a true impact of a formal ISMS. On the contrary not being aware of any aspect of the any part of the system and its security relevance, or the approach that we will take in case of a failure - therefore demonstrates the absence of ISMS.
The standard is divided into management system controls and annexure controls – also known as detail controls.
Management System Controls (Clause 4 to 10)
Clause 1 - Scope
Clause 2 – Normative references
Clause 3 – Terms and definitions
Clause 4 - Context of the organisation
Clause 5 - Leadership
Clause 6 - Planning
Clause 7 - Support
Clause 8 - Operation
Clause 9 - Performance Evaluation
Clause 10 - Improvement
Annexure Controls (14 domains 35 control objectives and 114 detail controls)
A.5 Security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset Management
A.9 Access control
A.11 Physical and environmental security
A.12 Operations Security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
We bring our world-class experience in delivery ISMS ISO 27001 implementation leading to successful certification.
Phase I – Understanding the business context and relevance of information security is the starting point of ISO 27001 2013 implementation analysis.
Phase II – Detail risk assessment/Gap analysisâ€¨including information asset identification, it security risk assessment including threats, impacts, vulnerabilities and probabilities resulting in identification of risks, and gaps. In addition we compare which of the ISO 27001 114 controls are applicable and relevant in implementing it risk management.
Phase III – Implementation/measurement journeyâ€¨through definition of ISO 27001 policy/procedure/documentation on one hand and the implementation of risk based gaps on the other. This phase takes the maximum time.
Phase IV – Internal Audit also referred as iso 27001 audit is the process of verifying successful ISO 27001 implementation, on one hand, and the inclusion of security principle in business lifecycle on the other.
Phase V – ISO 27001 Registration body certificationâ€¨This has is two stages:
Stage 1 – documentation, and, Stage 2 – implementation verification.
- Security Architecture in line with business protection objectives
- Enterprise/information risk reduction
- ROI consulting
- Speed and comprehensiveness in consulting delivery
- Security principles embedded in each business lifecycle/change
- Structured and proven risk assessment and risk measurement
- Documentation at 4 layers which encompass certification and internal maturity requirements
- Measurements that determine the degree of compliance for 114 controls
- Higher participation of compliance through head of department involvement
- Awareness to each and every member of the organisation
- Framework implementation and continual improvement
- Successful ISO 27001 certification
An organisation getting ISO 27001 certification has the following key strengths:
- An information security policy signed by the top management typically CEO.
- A formal asset identification process resulting in each asset being identified.
- Each information asset/system has a formal security classification, which helps in determining their security control.
- Each control area – technical, procedural, physical, legal – has a policy, responsibility, and wherever possible technology to protect.
- Number of policies vary but for getting ISO 27001 certification the number is at least 40 policies on various aspects of security operation
- Trained manpower to carry out there security function
- A dashboard that goes from security management team to top management explaining how security is performing
- An annual isms plan that shows the isms activities that involves design, implementation and audits.
ISO 27001 consulting is fairly a complex task which requires a combination of skills.
This includes understanding the business, understanding information security and their correlation.
The role encompasses the need to interact with each team in the organization including the ability to see assets and controls in multiple domains.Therefore the ISO 27001 consultant must have the following basic skills:
- Ability to understand business goals, strategies and objectives. Every organization is unique and therefore requires an acute business understanding of what makes them succeed. After all security objectives has to fulfill business objectives.
- Ability to align business goals with security goals
- Ability to define a formal risk assessment and risk management approach in line with business – that is sustainable and repeatable
- Ability to clearly define, articulate and measure key components of risks such as threats, impacts, vulnerabilities and probabilities using a structured model
- Ability to distinguish assets of different categories
- Ability to distinguish risk uniqueness in each asset or asset groups
- Strong technical background on application/database/network security
- Strong background on researching new vulnerabilities and how they can exploit a specific infrastructure
- Ability to present weaknesses in a form that can be evaluated in risk parameters
- Ability to advise client/top management whether to pursue a risk/vulnerability or not
- Ability to define and document policy, procedure and process
- Ability to evaluate technology and automation options
- Ability to advise client using their structure as to who should implement a specific gap.
- Ability to guide an implementer (nominated team within the organization for a specific gap) with right direction on why the policy has to be implemented in terms of business value and risk reduction
- Ability to evaluate the successful implementation of a control
- Ability to ensure the cross functional impact as a result of a newly implemented policy
Selection of an iso 27001 consultant therefore has to be done ensuring adequate experience in all of the above.
With a wealth of experience in consulting and project management Coral can help you bring down the compliance time by almost half. There is no doubt that such implementation take time due to the volume of controls but this can be achieved with articulate planning and execution both by us and you.
Please call or write to us if you seek fast track implementation and certification.
Organisation chose different paths to implementation. In some cases you plan to do on your own and in others you hire an ISO 27001 consultant.
There can be broadly 4 phases.
Phase 1 involves performing gap analysis. Gap analysis involves broadly three sections, namely asset identification, risk assessment, iso 27001 control analysis, and technical risk assessment. Each one of these require skills. Undergoing iso 27001 courses such as ISO 27001 lead auditor or ISO 27001 lead implementer are good but they are for beginners. For security assessment you need a combination of business, technical and security skills to make assessments.
Phase 2 involves policy design, documentation, ensuring accountability. These skills are difficult in house. No formal training for policy writing exists in the market place. You need security policies for technology teams (IT operations, network, application management, application development). You also need skills for human resources, physical, legal. Most importantly you need skills for security management especially security managers or chief information security officer. Phase 2 takes a long time as it needs policy writing, process change, new process implementation, training and more importantly a sense of ‘ownership’
Phase 3 involves audits. Audits can combine verification of closure but more importantly ownership of processes. Audits result in findings which must be closed before calling for the final phase of certification.
Phase 4 is the final registration body audit also called as certification body audit. Audits take place in two phases, namely stage 1 and stage 2.
There are several changes in ISO 27001 2013. It starts with the definition of the word ‘risk’ which is now closer to enterprise risk management.Read the full blog here
Top management wishes to know about the performance of information security program. There are several issues that you can discuss. Read the full blog here
There are changes in the management system clauses (Clause 4 to 10) as well as in the number of controls. Read the full blog here