ISO 27001

ISO 27001 SERVICES

ISO / IEC 27001:2013 (also known as ISO 27001) is an international standard that defines the specification for ISMS (Information Security Management System).

Independent accredited certification under the Standard is recognized worldwide as an indication that your Information Security Management System is in line with best information security practices.

Part of the series of information security standards ISO 27000, ISO 27001 is technology neutral and applicable to all organizations - regardless of their size, type or nature.

The full set of consulting services of ‘IS Consult Service’ Ltd to achieve certification under ISO 27001 is the perfect option for small and medium-sized enterprises, which want a consultant to perform most of the work on their behalf. This is the best option for companies which have limited resources or a short term to obtain certification. The fully managed certification process is useful for companies, which want to improve their security, but do not necessarily want to recruit teams of people to start internal projects.

What does this consulting service include?

If you choose this service, you sign a full package for a full consulting support. Under this approach, the consultant will perform most of the work (up to 80%), while the client will still play an important role in decision-taking in the project.

IS Consult Service Ltd covers all areas of ISO 27001, listed below:

  • Company Information Security Policies
  • Organization of Information Security
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and environmental security
  • Operation Security
  • Telecommunication security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity managemen
  • Compliance

How will we achieve it?

1. On-site gap analysis
At the beginning of the project our consultant will perform an analysis of the condition of your organization in relation to ISO 27001 (Gap analysis) and a report will be prepared.

2. Projects management and coordination
By the gaps defined, we will provide you with a 3 or 4-month project plan, divided into weeks, showing tasks, deadlines from end to end and people, responsible for the performance of the activities. Our consultant will make an end-to-end project management.

3. On-site training
At the beginning of the project we will provide training under ISO 27001 for your managers and all necessary interested parties, concerned by the project for compliance with the standard.

4. Exemplary set of documents [Working examples]
You will receive access to the set of documentation templates, which will help you during the project and this will help you save time.

5. Coaching and mentor talks with our consultant
During the project you will have access to coaching and mentor talks with the Consultant (in line with the requirements).

6. Professional ISMS documentation
Our consultant will manage the preparation and generation of the documents, necessary for successful certification under ISO 27001.

7. Internal audit and management review
Our consultant will conduct an internal audit, necessary prior to the certification audit of Phase 1. For your convenience, this consultant will organize a meeting with the aim of review of managerial management and current implementation under ISO 27001.

8. Maintenance of on-site performance
Upon completion of the project, our consultant will ensure support during the project performance phase.

9. Registrar’s coordination
Our consultant may help you receive offers from accredited certification companies, which issue the final document for compliance with ISO 27001. You take the final decision!

10. Opportunity for calls and assistance in external auditing by the certification company.
During external audits our consultant will be at your disposal if you or the auditor of the accredited certification company have any questions or need additional help.

The partially managed services give organizations the opportunity to receive support in separate areas of the standard in order to ensure and strengthen current staff in their certification efforts under ISO 27001: 2013. We often provide consulting service under ISO 27001, which supplies sub-groups of controls, varying from risk assessments, technical assessments, consulting on issues such as physical and/or logical security and other standard-related issues.

The partially managed service is useful for companies, which do not have experience in risk management or do not have the necessary technical skills in any of the sections in the standard.

What does this consulting service include?

If you choose this service, you subscribe to a full package for a full consulting support. Under this approach, the consultant will perform most of the work (up to 80%), while the client will still play an important role in decision-taking in the project.

IS Consult Service Ltd covers all areas of ISO 27001, listed below:

  • Company Information Security Policies
  • Organization of Information Security
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and environmental security
  • Operation Security
  • Telecommunication security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity managemen
  • Compliance

Using our methodology for assessment, planning, provision of procedures and improvement, we can integrate information and physical security in an effective manner in each organization.

Our certified consultants have considerable experience with ISO 27001 standards, as leading auditors, contractors and integrators. This ensures that we meet the requirements of our clients and can ensure support with added value by using our industry insight, knowledge and expertise in order to meet certification requirements.

Internal audits are performed by an in-house team or an outsourced agency, based on a preliminary set scope according to ISO 27001. External audits are performed by certifying bodies having different cycles. Some certifying bodies undertake assessment six months after the certification, known as surveillance audits. Generally the last surveillance audit can also be called a recertification audit. The certificate is issued for a period of 3 years, as every six months it is mandatory to conduct an ‘internal audit’ by an in-house team or by an outsourced agency.

IS Consult Service Ltd may conduct internal audits under ISO 27001: 2013, which are a mandatory requirement of the standard. If one of your barriers is the lack of knowledge of auditing techniques or how to audit specialist areas according to ISO 27001, we can support you in the development of a complete internal audit programme, as well as conduct specific audits on your behalf. We can also assist you in the continuing independent assessment of your controls according to the requirements of the standard.

The ISO 27001 audits will focus on the operation of the ISMS, as they can be IT-related (towards procedures, documents, IT controls) and/or non-IT related such as:

  • document management procedures;
  • process of preventive and corrective actions and applicable controls;
  • administration of user accounts;
  • change control process;
  • delivery of services from a third party;
  • recruitment and termination of staff;
  • knowledge improvement training;
  • or incident management;
  • and many other similar examples.

We have considerable experience in conducting third party audits on behalf of our clients. These audits can refer to specific aspects or more general topics such as your suppliers’ approach to information security. If necessary, we can also manage the full internal audit of ISO 27001 and will be happy to discuss your requirements.

An external ISO 27001 audit is divided into three stages

Stage 1 involves a thorough review of key documents and the methodology adopted by the organization. Documents such as the organization's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP) are checked. This stage also helps the auditors and the organization understand each other better.

Stage 2 is more detailed and formal and comprises an on-site visit, where the sample size is decided and audited. Many a times, this is the last stage and certification is awarded to the organization that successfully clears it.

Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. It would be best for internal auditors to follow the same process. However, being a part of the system, a lot of assumptions are made and hence, a design flaw often gets overlooked. An internal audit generally ends up in a checklist oriented audit. Thus, ideally an experienced third party having domain expertise should be engaged to identify gaps in a holistic (people, process and technology) manner.

After the certification, an ISO 27001 audit should be done at least annually.

Do you need help?

CONTACT US