How Coral made a robotics designer to achieve ISO 27001 compliance

Business

The company provides robotics design, and development including production of robots for commercial and defence service providers.

Here we explain the 5-phase approach that we followed for making the organisation ISO 27001 compliant.

Phase 1 – Gap Analysis/Risk Assessment/Maturity of Current ISO 27001 Processes

Phase 2 – Skill Transfer including documentation

Phase 3 – ISMS Performance Tracking

Phase 4 – Internal Audit

Phase 5 – External Audit

Phase 1 – Gap Analysis/Risk Assessment/Maturity of Current ISO 27001 Processes

We started with meeting top management with their expectation of ISMS including what they considered as most sensitive information that needs protection. We were surprised to see that what they considered was very different from what head of departments considered as most important piece of information that requires protection.

In this phase we also identified their different forms of assets using our evolved asset master template. Once the assets were identified and focused on business transactions performed by business and their different teams.

This resulted us in identifying

  • All forms of assets
  • All forms of information
  • All risks and vulnerabilities
  • Process Maturity of each of the 114 controls

We applied our evolved risk assessment methodology that included ISO 31000 requirements steps.

Phase 2 – Skill Transfer including documentation

Each team underwent a detail understand of their responsibility for security compliance from an ISO 270001 perspective. We defined and communicated a strategy – where each team would owned a portion of applicable 114 controls.

Each team underwent a set of tasks that involved the following deliverables:

  • Skill Transfer – they learnt how to do security tasks that they did not perform earlier
  • Documentation – There were several policies and procedures created that involved ISO 27001 Management System controls (Clause 4 to 10), applicable 114 controls. They were involved in reviewing every document before accepting.
  • Communication – Each team communicated the impact of the changes to their nature of work, including communication to other effected teams and individuals.
  • Metrics – An agreed threshold of performance for a control and security transaction.

Phase 3 – ISMS Performance Tracking

This phase is of reporting the allocated ISMS transactions/processes with their level of performance. This phase is the outcome of the previous phase where each team agreed to report their area of allocated security compliance.

We acted as a reviewer of performance and gave them suggestions, including compliments – where they performed the transactions in the way it was desired.

We found good progress in the way they now understood the requirements.

Phase 4 – Internal Audit

An independent consultant from our team who was not involved in the previous phases performed an audit, giving a simulation of external audit. In this phase the auditor performed audit tasks that involved the followings:

  • Determining most information assets
  • Design, documentation in line with the ISO 27001 standard
  • Awareness of personnel on common and team specific procedures
  • Management participation on the whole program including reaction of performance reports

The internal auditor submitted a detail report that shows strengths and weaknesses, including maturity of the individual ISO 27001 114 control requirements.

Phase 5 – External Audit

Client chose a suitable certification body that fit their budget and brand expectations. The external body audit team consisted of two team members.

Stage 1 – Documentation audit was performed to verify the documented requirements of the standard. The auditor submitted the report with suggestions and improvements, which we modified.

Stage 2 – Implementation audit was focused on verifying the controls. This involves meeting all teams including Information Technology, IT security, physical security, application development lifecycle, legal and compliance team. The audit team identified few opportunities for improvement, which were addressed by the customer team with our support.

The company was successfully certified in ISO 27001 – 2013. The fruits of compliance includes a proactive approach to ISMS.

Business Benefit

The company acknowledges that ‘security is implemented in everything that they do’.

Hope you enjoyed reading the article!

If you wish to implement ISO 27001-2013 in your organisation, please write to us at roadmap@www.coralesecure.com.

Author : Probal C

Tags :