Overview

We advise clients in achieving successful zero defect ISO 27001 certification.
Our ISMS – ISO 27001 consulting practice combines industry best practices in risk assessment, implementation, documentation, training and measurement of controls leading to a successful ISO 27001 certification and an ongoing governance program.
Our ISMS ISO 27001 program has been delivered across the world, across different industry sectors, from SMEs to large businesses operating across the world.
Choosing the right ISO 27001 consulting organisation goes a long way in establishing the Cyber Security Framework for your organisation
Contact us to get started.

Kindly share your details for ISMS requirements

ISMS – ISO 27001 Consulting Engagement Phases

Here is a brief overview of al the phases involves in implementing ISMS-ISO 27001 certification.

Phase I - Understanding Business and Security Objectives

Every client is unique with its business model, customers, and information security requirements
The ISMS-ISO 27001 implementation journey starts with this phase where we determine and document the clients’ business requirements for Information Security management system (ISMS).
This is where ISMS context, requirements of internal and external parties, and scope are determined and documented.

Phase II - Gap Analysis and Risk Assessment

Based on the outcome of phase I, a combination of approaches are applied by Coral ISMS ISO 27001 consultants to conduct the gap analysis.
A session with each individual organisation team to asses their current scope of work and their controls are determined
A Penetration test against their applications and network reveals their current state of controls
A threat model approach is applied to determine their systems and their current process gaps
With more and more organizations choosing a combination of on prem and cloud infrastructure, an assessment may involve set of controls and their effectiveness across both the environments.
ISO 27001 Gap Analysis phase is a key phase in designing control responsibility to stakeholders.
ISO 27001 Gap analysis will reveal gaps in all applicable domains such as ISMS governance, Application development, IT operations, Cloud Operations, Human resources, Physical Security, Supplier management etc
Coral consultants will provide detail recommendation for each identified gap with their recommendations.

Phase III - Control - Design, Documentation, Measurement, and Risk Management

Design involves control allocation responsibility to organisation stakeholders.
Documentation involves drafting and discussing 20+ policies and procedures across domains involving ISMS governance, Application development, IT operations, Cloud Operations, Human resources, Physical Security, Supplier management etc., as per applicable controls.
Risks identified in the gap analysis are tracked towards decision making and closure. Some risks are quick wins, whereas others may take longer to close.
Control Measurement involves testing the control effectiveness and providing stakeholders with an objective performance of the ISMS
These phases may run in parallel or sequential based on the organizational dynamics.

Phase IV - Training & Brainstorming Sessions

Training of staff involved in ISMS operations is a key factor in successful ISMS implementation.
ISMS involves company staff involved in defining their internal security controls.
Our consultants will deliver a combination of trainings including awareness, risk management and standard interpretation
Each documentation or risk undergoes brainstorming with staff to derive at a ‘best-fit’ solution for the organisation.

Phase V - Internal Audit and Management Review

ISO 27001 Internal audit starts with preparation of ISO 27001 checklist and selecting client staff as auditee, latter responsible for the controls.
Internal Audit involves verifying the effectiveness of the implemented lifecycle controls through interviews with system verification of applicable controls,
A formal report is published for management team.
We facilitate reviews with the management to ensure that the initial ISO 27001 policy objectives and goals are achieved.

Summary

At this stage:

As a result of undergoing these phases, Coral has implemented for a client an operational Information Security Management system (ISMS) that includes people, processes, technology and ongoing measurements.
Each of the ISO 27001 certification requirement has been completed by combination of one or more of policy, responsibility, report, record, technology, and automation.
The organisation now has a plan that demonstrates its continued commitment like any other business function
At this stage, the organisation is ready for inviting external certification body to certify them to ISO 27001 certification

Phase VI - External Certification Support

Chosen external certification body audit performs ISO 27001 certification in two phases:

Stage 1 – Documentation Review, and
Stage 2 - Implementation Verification

With the two phases completed, the certification body issues an ISO 27001 certificate.
Finally, upon receiving their ISO 27001 certificates, the clients are officially iso 27001 certified. This is the time to celebrate !!

Questions?

Seek a one to one session with our Principal Consultant, who will answer your questions to get started.

Contact Us Now !

ISMS – ISO 27001 FAQs

What is information security?

Information is anything that has a business value. Security is protection against loss of confidentiality, integrity and availability. Combined, in the context of any organisation, information security is the protection of all information that business considers ‘valuable’.
What is information security management system (ISMS)?
- ISMS is an organisation program, framework and a set of rules, policies, and procedures that ensures protection of information.
- ISMS is a management program driven by a management representative such as Chief Information Security Officer (CISO).
What is ISO 27001 certification?
- ISO 27001 is the certification that the organisation achieves upon demonstrating that they have implemented the ISMS.
- ISO 27001 is a certificate issued by a certification body upon completing a 2- phase audit.
- An ISO 27001 certification is valid for three years subject to annual surveillance.
- ISO 27001 certificate provides assurance to your customers that you have implemented 'optimum-security' in all processes that handles sensitive data
What are the benefits of implementing ISMS?
- Implementing ISMS helps an organisation to protect their information and digital assets, proactively.
- Additionally, it reduces the opportunity of being hacked as systems and processes are designed to ensure that the organisation and its information assets are secure.
- Processes such as risk assessment ensure all changes in the organizations consider security as part of the implementation.
- Controls such as threat intelligence ensures you are proactive as new threats develop in the wild.
- An annual calendar of 'management system' activities ensures that ensures there is an overarching role that is guiding the organisations security related decisions.
How much does it cost to implement ISO 27001 2022?
A number of factors play a role in determining the fee, such as:
- Scope of business, and information systems involved
- Number of business locations
- Number of networks including cloud service provider
- Presence of application development in scope
- Identified gaps or risks
An ISO 27001 engagement would involve two participants - a readiness consultant (like Coral) and an accredited certification body

Our readiness fee for the US and Canadian entities starts at $10000 for a startup with 1 location.

A CB charge can vary depending upon the scope of the work, and the reputation of the firm.

These numbers are estimates. For the exact fee, please contact us, we conduct an initial session, where we determine the applicable requirements including scope, using which we can submit a fixed-fee commercial proposal.
How much does it cost to hire an ISO 27001 consultant?
- A range of factors apply to determine the consultant efforts and the fee.
- Key factors includes scope in terms of business services, applications, networks, physical locations, applicable controls and the target dates.
- ISO 27001 consulting fee can vary from as low as $7000 to $50000 based on the above factors.
What are the key phases of implementing ISMS?

The phases of implementing include understanding the business, listing all information assets, conducting gap analysis, risk assessment and risk management, policy documentation, testing and measurement of controls, audit, and awareness of all stakeholders.
What are the responsibilities for an ISO 27001 Certification Consultant?
ISO 27001 certification consultant has the following skills:
- Ability to make an organisation iso 27001 certified through a formal process of gap analysis, documentation, process measurements technical implementations, internal audit and measurement
- Ability to explain the iso 27001 requirements to the organisation that includes management, functional owners, and employees, and enable them to implement secure practices
- Ability to perform security risk assessment and risk remediation
- Awarenss of latest changes in technology, and risk management practices
- Knowledge of latest security breaches
- Ability to draft company policies, and procedures that drive security managemeent in the organisation.
- Ability to communicate risk to the mnagement that elicit risk mitigation decision
- Manage an isms compliance program that has standard and dynamic activities as relevant to business and security incident management
What are the ISO 27001 Certification Steps for an organisation?
ISO 27001 certification steps are as follows:
- Understanding the main business and information security context
- Listing business information and inventory fof assets
- Determinatin of applicable ISO 27001 control requirements
- Detail gap analysis, and risk assessment
- Enabling risk relatd decision making and ensuring successfu implementtain thereby ensuring risk reductioon
- Draftung plicies, procedures and metrics
- Awarenss to all staff
- Internal Audit
- Maintiain an annual program f gvernance that ensures that all relevant cmpany prcsses fllow the standadr to reduce any new opportunities of incients
How to make an ISO 27001 Certification Checklist?
ISO 27001 checklist creation is a challenging but interesting task that includes on one hand, understanding of iso 27001 requirements, and on the other an organization’s business, strategic information risks, and their information assets.

ISO 27001 has control requirement covering several domains that includes the following domains.
- Strategic
- Technical
- Physical
- Personnel
- Suppliers
- Process
Phase A – ISO 27001 requirement checklist

The journey starts with getting a copy of the iso 27001 controls, and using the same to create a meta templete in which against each rquirement one should prepare the iso 27001 questions using one or more of the follwings:
- What to ask?
- What to check?
- Whom to ask?
Phase B – Business requirement checklist

In the organistaion context, each business is sometwhat unique, so the next step is to gather enough infrmation about the organisations, such as:
- Main Business
- Products and Services
- Information to be secured
- Information Systems in Use
- Number and location of Users
- Applications develped
- Network locations
- Office locations
- Supplier List and their services
- Individual roles and nominations
With this, one has created the organisation context necessary to apply the qustions from the phase A.

ISO 27001 checklist is incomplete with just the standard questions, there is always a need to prepare the question in the context of the organisation for which this is applied.

A complete iso 27001 checklist strategy threfore needs to have both the iso 27001 control checklist as well as organisatial checklist.
What does the certification body lead auditor look for in issuing an ISO 27001 certificate?
ISO 27001 certification audit is valid for three years subject to fulfilment of the standard requirements by the organization. ISO 27001 certificate is issued by the certification bodies.

In the first year they perform two stages of the audit, namely stage 1, and stage 2.

Stage 1 audit is the documentation audit, where they look for documentation alignment with the applicable requirements as per the organizations Statement of Applicability (SOA).
Stage 1 questions are centered around company policies and procedures and demonstrate an organizations’ ‘intent’.

Stage 2 assessment aims at verifying the ‘implementation and effectiveness’. This phase is much more comprehensive where the iso 27001 certification body auditor looks for evidence of implementations across all domains and controls that are applicable to the organization.

Stage 2 focuses on the technical side of the implementations that includes the followings:
- Cloud security controls,
- Network security controls,
- Application development security lifecycle controls
- Human resource controls
- Physical security controls
- Supplier management controls
- Other ‘security management’ processes
Upon assured of the ‘intent, implementation and effectiveness’ the iso 27001 certificate is issued by the certification body to the Organisation.
What is ISO 27001 Statement of Applicability (SOA)?
- As the name suggests, it is a document created by the organization to demonstrate its alignment with the standard list of controls
- It defines the justification for not applicable controls, and applicable controls.
- It is the basis on which a company gets certified. SOA is used by the certification body auditor to make their judgment on compliance
- It is a document using an organization demonstrate their ‘control design’ – a term generally used in SOC 1/SOC 2.
- As a best practice, we advise clients to add more columns in the SOA such as documentation and risk owner, a term to associate a control with a team, responsible for enforcement of the control in the organization.

Did you Know?

- ISO 27001 is the most popular organisation certification for demonstrating Cyber security and information security program
- The first step for iso 27001 compliance is to determine the scope for iso 27001 certification. However the scope is determined by a business, and its information security context. Scope involves determination of business services, information systems, production network, and office locations among other factors.
- ISO 27001 does not have a specific requirement for a CISO but has isms roles and resposnibilities. This means an organisation can define either an individual driving the isms or a team that drives and implements isms.
- ISO 27001 expects a method of risk assessment which includes context wise risk assessment. This means you can do risk assessment by security policy objectives, threats, applicable controls and even by assets.
- Each of the iso 27001 requirements needs to be tested at least once a year and their score to be evaluated to determine the degree of control effectiveness

ISO 27001 - 2022 Controls Calculator

If you are seeking ISO 27001 for the first time using this you can determine the applicable controls from the total list of 93 annexure controls.
We have a simplified methodology to determine with fair accuracy how many controls would apply. So go ahead and give it a go!

1. Do you have application development team or a department in the scope of your ISO 27001 certification? (Note : "Application development has at least 9 controls. Depending upon whether you have one or more apps, additional controls may apply.")

Yes No

2. Do you have one or more office locations? (Note : "Physical security has at least 11 controls. Note - Even if you don’t have a physical office some degree of physical security controls would apply.")

3. Do you have one or more application software vendor - who develops code for you? (not contracted staff)? (Note : "Security of 'Outsource software development' vendor is one control. ")

4. Do you have one or more cloud service providers ? (Note : There is one control for cloud security. Note - For each cloud service provider depending upon SAAS, PAAS or IAAS, there may be additional controls based on the shared security responsibility model - which are not in ISO 27001 list directly.)

Consulting Services

Why Coral?

Contact Us

Request a call back

ISO 27001 ConsultingReadiness, Implementation, Audit and Program Management