Overview : Helping you achieve ISO/IEC 27001 compliance
Achieving ISO/IEC 27001 certification shows customers, partners and other stakeholders that an organization actively carries out the management of information safely and securely. The long journey to having an ISMS and then achieving ISO 27001 compliance can feel very daunting for any business. It can be difficult to plan and take the required compliance measures effectively, especially where in-house resources are limited. As an award winning cyber security and cyber consultant, We are well placed to help your organization evaluate and enhance its information security with respect to ISO 27001 controls and to show compliance with GDPR and other regulatory obligations.
ISO 27001
What is ISO 27001?
ISO 27001 is an internationally recognised security standard that defines a framework of technical risk management controls applicable to an Information Security Management System (ISMS).
ISO 27001 is published as part of the ISO/IEC 27000 series established by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The ISO framework is intended to assist organisations in establishing, implementing, maintaining, monitoring, reviewing and improving their ISMS.
ISO 27001 adopts a risk-based and technology neutral approach to information security and requires organisations to apply controls based on the organisation’s security risks. The standard does not provide a prescribed list of controls to apply, but does give a checklist of controls that should be used for consideration and provides recommended guidelines that are provided in ISO 27002.
Even if your organisation is not seeking full certification, it is prudent to understand the controls outlined in the Standard to assess if the best practices of security are being followed.
ISO 27001 requirements
ISO/IEC 27001 requirements
Identify threats and weaknesses and analyze impacts to conduct a systematic assessment of information security risk
Design and implement a comprehensive set of security controls to address identified security risk
Establish an ongoing management process that will ensure security controls needs as risks changes over time
Controls
ISO 27001 Annex A controls
When constructing an effective Information Security Management System (ISMS), it is crucial to choose appropriate controls. ISO 27001 Annex A provides a group of 114 best practice ISO controls, organized by 14 clauses.
Since the update to ISO 27001 in 2013, the controls have not been compulsory. They are simply guidance for conducting risk assessments, where organisations will select of the controls that they can find and justify to be the most relevant and meaningful for their organisation.
The 14 control clauses of annex A:
A.5 - Information security policies
A.7 - Human resource security
A.9 - Access control
A.11 - Physical and environmental security
A.13 - Communications security
A.15 - Supplier relationships
A.17 - Business continuity management
A.6 - Organisation of information security
A.8 - Asset management
A.10 - Cryptography
A.12 - Operations security
A.14 - System development and maintenance
A.16 - Information security incident management
A.18 - Compliance laws and policies
ISO 27001 certification
The ISO 27001 certification process
To achieve ISO 27001 certification, an organization's ISMS must be audited by an accredited registrar, which will follow a three-stage external audit process defined in ISO 27006. The process may include:
Stage 1 is a preliminary review of an organizations ISMS, including gathering security policy documentation, key documents are the statement of applicability (SOA) and risk treatment plan (RTP)
Stage 2 is a formal compliance, in which the ISMS against ISO 27001 requirements. Otherwise, organizations being assessed should be able to issue documentation on the design and implementation of the ISMS, as well as evidence that it operates and is maintained.
Organizations that pass Stage 2 are ISO 27001 certified, however there is a series of revisits and audits that they need to pass to maintain that status, this is recommended to take place annually for most organizations will happen more than annually if the ISMS is still in its infancy.
ISO 27001 pen testing
ISO 27001 certification is not something that happens overnight and most organizations are going to struggle to prepare for an audit without support from someone external to the organization. Understanding and managing vulnerabilities is an essential element of an ISMS and the best and most efficient way of doing this is to have a regular security testing programmed in place.
As per objective A.12.6.1 of ISO 27001, you should have information about technical security vulnerabilities in a timely manner, evaluate outcomes of exposures to these vulnerabilities, and treat risks appropriately.
Our team of pen testing experts have vast experience in building security testing programmers for organisations in all sectors and we carry out a full risk assessment and full post-test support to ensure the vulnerabilities identified can be remediated in a timely manner. Whether you require an internal/external network assessment, a web app/mobile app test, or a bespoke phishing/social engineering simulation, our experienced and friendly team can assist you.
ISO 27001 threat and incident management
An overarching requirement for an Information Security Management System is that an organization has a full set of threat management controls that is monitored on an ongoing basis. Objective A.16.1 relates to security incident management, including the detection, reporting and response to security incidents.
Building the capability to detect and respond to threats on an ongoing basis is difficult unless you have a large in-house security team dedicated to the task. Responder is our outcome-focused Managed Detection and Response service designed to provide the people, technology and cyberoffensive intelligence to proactively hunt for threats and to shut them down performatively.
We collaborate with our clients to understand their security risks and operationalize a solution that will provide the outcomes needed to show tangible security to fulfill a variety of use cases.
