Overview

As an ISO 27001 consulting service provider, we advise our clients in ISMS – ISO 27001 certification through a 6-phase implementation approach that includes understanding client business, setting security policy objectives, gap analysis, detail risk assessment, policy documentation, risk remediation support, end user training, monitoring, measurement, and audit, thereby leading to successful ISO 27001 certification.
With 20 years of ISMS practice, our methodology has been successfully implemented in business of all sizes and sectors, across the globe. Whether you are a startup in AI-ML-Data Science, SAAS, PAAS, IAAS provider, product developer or customer, or brick and mortar local or global business, we have implemented ISMS in fairly all industry sectors.
Security is everyone’s responsibility. We consider our methodology as most comprehensive as we involve every client key stakeholder in our ISO 27001 implementation journey. We ensure ‘security by design’ principles as part of your business DNA.
How fast can Coral get us ISO 27001 certified? As fast as you want to be! We follow an agile philosophy where phases of the project can run in parallel, resulting in achieving ISO 27001 certification faster.
Contact us today to get started

Kindly share your details for ISMS requirements

Name

Organisation

Phone

Email

Please provide your additional request OR specific request (if any) : *

Security Code

ISMS – ISO 27001 Consulting Engagement Phases

Here is a brief overview of al the phases involves in implementing ISMS-ISO 27001 certification.

PHASE I - Understanding Business and Security Objectives

Every client is unique with its business model, customers and business objectives.
The ISMS-ISO 27001 implementation journey starts with this phase where we determine and document the clients’ business requirements for Information Security management system (ISMS) – ISO 27001 context.
This is where ISMS context, internal and external requirements, and scope are determined and documented.

PHASE II - Gap Analysis and Risk Assessment

As the name suggests, this phase is aimed at determining the current controls in place, which helps determine the ‘missing controls’.
In addition this phase involves determining information and its lifecycle, with its assets that store, process and/or transmit the information.
How comprehensive is the risk assessment? We perform a 3-phase risk assessment that involves information assets, security controls and policy objectives, thereby giving clients an unparalleled view of their security risks.
With more and more organizations choosing a combination of on prem and cloud, this phase has become a key focus area.
Gap Analysis phase is a key phase in designing control responsibility to stakeholders.
This is where identified gaps, applicable controls (Statement of Applicability), with their references to stakeholders and policy/procedure requirements are determined, and documented.

PHASE III - Design, Documentation and Risk Monitoring

Design involves control allocation responsibility to organisation stakeholders.
Documentation involves drafting 25+ policies and procedures
The phase involves brainstorming and training staff to align them with documented controls and policies.
Risks identified in the gap analysis are tracked towards closure.

PHASE IV - Control Measurement

Measurement involves testing the control effectiveness and giving a 0-100% score.
We have a structured methodology using which we score controls based on an interplay of business transactions with ISO 27001 controls, and present this to the management using a formal report.

PHASE V - Internal Audit and Management Review

Internal audit started with preparation of ISO 27001 checklist and selecting client staff as auditee, latter responsible for the controls.
Internal Audit involves verifying the effectiveness of the implemented lifecycle controls through interviews with physical and system verification of applicable controls, as it applies to the organisation control design.
A formal report is published for management committee.
We facilitate reviews with the management to ensure that the initial ISO 27001 policy objectives and goals are achieved.

PHASE VI - External Certification Support

Chosen external certification body audit performs ISO 27001 certification in two phases:

Stage 1 – Documentation Review, and
Stage 2 - Implementation Verification

With the two phases completed, the certification body issues an IS 27001 certificate.
Finally, upon receiving their ISO 27001 certificates, the clients are officially iso 27001 certified

Questions?

Seek a one to one session with our Principal Consultant, who will answer your questions to get started.

Contact Us Now !

ISMS – ISO 27001 FAQs

What is information security?

Information is anything that has a business value. Security is protection against loss of confidentiality, integrity and availability. Combined, in the context of any organisation, information security is the protection of all information that business considers ‘valuable’.
What is information security management system (ISMS)?
- ISMS is an organisation program, framework and a set of rules, policies, and procedures that ensures protection of information.
- ISMS is a management program driven by a management representative such as Chief Information Security Officer (CISO).
What is ISO 27001 certification?
- ISO 27001 is the certification that the organisation achieves upon demonstrating that they have implemented the ISMS.
- ISO 27001 is a certificate issued by a certification body upon completing a 2- phase audit.
- An ISO 27001 certification is valid for three years subject to annual surveillance.
What are the benefits of implementing ISMS?
- Implementing ISMS helps an organisation to protect their information and digital assets, proactively.
- Additionally, it reduces the opportunity of being hacked as systems and processes are designed to ensure that the organisation and its information assets are secure.
What are the key phases of implementing ISMS?

The phases of implementing include understanding the business, listing all information assets, conducting gap analysis, risk assessment and risk management, policy documentation, testing and measurement of controls, audit, and awareness of all stakeholders.
What are the responsibilities for an ISO 27001 Certification Consultant?
ISO 27001 certification consultant has the following skills:
- Ability to make an organisation iso 27001 certified through a formal process of gap analysis, dcumentation, process measurements technicla implementtains, internal audit and masurement
- Ability to explain the iso 27001 requirements to the organisatin that includes management, functional ownrs, and employees, and enable them to implement secure practices
- Ability to perform security risk assessment and risk remedition
- Awarenss of latest changes in technology, and risk management practices
- Knowledge of latest security breaches
- Ability to draft company policies, and procedures that drive security managemeent in the organisation.
- Ability to communicate risk to the mnagement that elicit risk mitigation decision
- Manage an isms compliance program that has standard and dynamic activites as relevant to business and security incident management
What are the ISO 27001 Certification Steps for an organisation?
ISO 27001 certification steps are as follows:
- Understanding the main business and information security context
- Listing business information and inventory fof assets
- Determinatin of applicable ISO 27001 control requirements
- Detail gap analysis, and risk assessment
- Enabling risk relatd decision making and ensuring successfu implementtain thereby ensuring risk reductioon
- Draftung plicies, procedures and metrics
- Awarenss to all staff
- Internal Audit
- Maintiain an annual program f gvernance that ensures that all relevant cmpany prcsses fllow the standadr to reduce any new opportunities of incients
How to make a ISO 27001 Certification Checklist?
ISO 27001 checklist creation is a challenging but interesting task that includes on one hand, understanding of iso 27001 requirements, and on the othe an organisation’s business, strategic information risks, and their information assets.

ISO 27001 has control requirement covering several domains that includes the following domains.
- Strategic
- Technical
- Physical
- Personnel
- Suppliers
- Process
Phase A – ISO 27001 requirement checklist

The journey starts with getting a copy of the iso 27001 controls, and using the same to create a meta templete in which against each rquirement one should prepare the iso 27001 questions using one or more of the follwings:
- What to ask?
- What to check?
- Whom to ask?
Phase B – Business requirement checklist

In the organistaion context, each business is sometwhat unique, so the next step is to gather enough infrmation about the organisations, such as:
- Main Business
- Products and Services
- Information to be secured
- Information Systems in Use
- Number and location of Users
- Applications develped
- Network locations
- Office locations
- Supplier List and their services
- Individual roles and nominations
With this, one has created the organisation context necessary to apply the qustions from the phase A.

ISO 27001 checklist is incomplete with just the standard questions, there is always a need to prepare the question in the context of the organisation for which this is applied.

A complete iso 27001 checklist strategy threfore needs to have both the iso 27001 control checklist as well as organisatial checklist.

Consulting Services

Why Coral?

Contact Us

Quick Contact

Information Security Management System (ISMS) ISO 27001/ISO 27002 Implementation Consulting Services