Posts Tagged ‘ISO 27001 certification’

You have applied for ISO 27001:2013 Certification and you are about to undergo your Stage 1 audit. The auditor checks that your ISO 27001 documentation is up to the task. For many organizations, the documentation stage is the most time-consuming part of their ISO 27001 project. For some, documenting ISMS (Information Security Management System) can take up to 12 months.

Providing the ISO 27001:2013 Documentation for your information security management system (ISMS) is often the hardest part of achieving ISO 27001 Certification. ISO 27001 Documents can run into thousands of pages for more complex businesses.

To get started, there are three approaches to addressing ISO 27001 documentation:

ISO 27001 documents

1. Trial and error
Designing the ISMS yourself is very risky and the most time-consuming approach. An ISMS needs a huge amount of detail, and trial and error is a difficult way to tackle this task.

2. External expertise
The second approach is bringing external expert from experienced consultants. Though this offers a faster route than trial and error, it is substantially more expensive. ISO 27001 Consultants will need time to learn your systems and processes before they can start documenting them and any new systems or processes. The advantages of external expertise include considerable reduction of the risk of failure and overcoming resource issues.

3. ISO 27001 Documentation toolkits
ISO 27001 Documentation Toolkit can significantly reduce errors and save you a considerable amount of time and money. We highly recommend this approach and have designed a documentation toolkit that exactly meets the requirements of ISO 27001. The ISO 27001 Documentation Toolkit has been developed by ISO 27001 experts and provides all of the mandatory and supporting documentation templates you will require, and is more cost-effective than consultancy fees.

The toolkit includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.
Advertisements

ISO 27001 is increasingly adopted in the global world by both internal and external IT organizations. Since there are many small, mid-size and established IT organizations so the standard has helped to differentiate between different IT companies across world.

ISO 27001 Certification demonstrates to existing and potential customers that your organisation has defined and put in place best-practice information security processes. ISO 27001 is the only auditable international standard that defines the requirements of an Information Security Management System (ISMS). Implementing ISO 27001-certified ISMS can help your organisation avoid the penalties and losses associated with data breaches, and comply with legal and regulatory requirements.

The auditors should maintain the knowledge of the state of art and organizational situation. For all issues related to the audit, the ISO 27001 Auditor Training must be given that helps them in being independent in both attitude and appearance. ISO 27001 auditor training helps IT organization to prepare employees to perform ISMS 27001 internal audits on a company ISMS.

Essential Skills/learning in the ISMS – ISO 27001 Auditor training includes the following:

  • Overview of Information security management system.
  • Understanding ISO 27001:2013 system requirements.
  • Understanding Information security related definitions.
  • ISO 27001 documentation – 4 tier document structure.
  • Understanding ISMS internal auditing process.
  • Information Security management techniques.

The ISO 27001 manual is a mandatory document for ISO 27001 Certification, which maintains Information Security Management System in organization. This is a roof document for ISMS, and it usually includes the ISMS scope, role(s) undertaken by the organization, exclusions from the standard, references to relevant documents, and the business process model.

Basically, there are two approaches for ISO 27001 Information Security Management System (ISMS) Manual:

a) The ISO 27001 Manual could be a document explaining how an organization will meet the ISO 27001 requirements and which procedures will be used in the ISMS, or

b) The ISO 27001 Manual could be a set of all the ISO 27001 documents that are produced for the ISMS – in practice, the idea would be to place all the policies, procedures, working instructions, forms, etc. into a single book so that it is easier to read.

The first approach makes no sense because there is a mandatory document in the ISMS that must describe how a company will implement its information security – it is called Statement of Applicability. It must list all the controls, and define if they are applicable and how they will be implemented. Therefore, the Statement of Applicability has a very similar function to that of the Quality Manual, so an ISO 27001 Manual with the same purpose makes no sense.

Having all the ISMS policies and procedures included into a single ISO 27001 manual makes even less sense – first of all, most companies implementing ISO 27001 use intranet for handling documents, so merging documents in electronic form makes them no easier to read; secondly, the longer the documents, the smaller the chance someone will read them because not every ISMS document is intended for everyone in an organization; and thirdly – since individual ISMS documents change rather often, it would be a nightmare to update such manual so frequently.

To implement an ISO 27001 Certification Standard, you will need to implement a series of activities that were described in your document. Once that has been done, you will need to implement another series of steps during the final phase of the project.

The ISO 27001 Certification Audit Process

The ISO 27001 certification audit process is divided into 2 stages.

In Stage 1, the auditor verifies whether your ISO 27001 documentation complies with the standard.

In Stage 2, the auditor verifies that your Information Security Management System (ISMS) operates effectively, as documented and in compliance with ISO 27001.

This underlines the importance of how much you need to be perfect when writing the document according to the clauses of the ISO 27001 Standard. It also stresses the importance of implementing the information security system in your company.

Steps That Should Taken

After all, the proper documentation has been prepared and the implementation of the new business processes has been implemented, then you will need to perform these mandatory tasks before you can perform the actual audit.

  • Internal Audit
  • Management Review
  • Corrective and Preventive Actions

The purpose of an ISO 27001 internal audit is to get an independent auditor to come around and do the auditing and check whether the Information Security System is working properly.

The Management review is a process where the management takes into account all the relevant facts about an information security and make the appropriate decisions.

The company then takes into all the faults and problems that were found out during the internal audit and the management review and take steps to resolve. These are called corrective actions, and these should be taken so that when the time for an audit comes, you won’t have any failures occurring.

Once all of this has been done, you would want to go over everything again, double check it, so that you know that everything is in order before the actual ISO 27001 audit happens. This double check will ensure that every employee will know their task and specialities when the actual audit happens.

Information security breaches are becoming the new normal. Security teams must now take dedicated measures to reduce the risk of suffering a damaging breach. The only solution to the growing threat of cyber attacks is to implement a robust approach that tackles all aspects of information security and business continuity throughout the organisation.

ISO 27001 implementation will involve your whole organisation. An ISMS is specific to the organisation that implements it. The entire project, from scoping to certification, can take three months to a year depending on the complexity and size of the organisation.

Here are the most common elements of implementing ISMS:

Gap analysis
Conducting a gap analysis determines what is required from an organisation’s current information security process in order to meet the Standard’s requirements. It identifies the resources and capabilities an organisation needs to fill the gap.

Scope the ISMS
ISO 27001 Certification states that any scope of implementation may cover all or part of an organization. Scoping involves deciding which information assets are going to be protected. This is often a difficult and complicated process for larger organisations. If the project is incorrectly scoped, your organisation can be vulnerable to risks that had not been considered.

Develop an information security policy
An information security policy should be put in place that reflects the organisation’s view on information security. This policy will then need to be agreed by the board.

Conduct a risk assessment
A risk assessment is at the core of any ISMS. A risk assessor will identify the risks that an organisation faces and conduct a risk estimation and evaluation of those risks. The risk assessment helps to identify whether controls are necessary and cost-effective for the organisation.

Select controls
Controls should be put in place to reduce or manage risks after the risk assessment has been completed. ISO 27001 has its own list of best-practice controls that an organisation will need to compare its own controls against.

Create ISO 27001:2013 documentation
ISO 27001:2013 Documentation needs to be developed to support every planned control and component of the ISMS. This documentation will then establish a point of reference to ensure consistent application and improvement.

Implement a staff awareness programme
All staff members should receive information security training that will increase their awareness of information security issues.

Carry out regular testing
ISO 27001 requires regular audits and testing to be carried out. This is to ensure that the controls are working as they should be and that the incident response plans are functioning effectively.

Gain certification
The certification body will need to review your management system documentation and check that you have implemented all the appropriate controls. This will be followed by a site audit that will test the procedures in practice.

Information security is one of the central concerns of the modern organization. The volume and value of the data used in everyday business increasingly informs how organizations work and how they are successful. To protect this information and be seen to be protecting more and more companies are becoming ISO 27001 certified.

ISO 27001 is an internationally recognized and independent specification for the management of information security. It provides a comprehensive checklist of security controls that will be considered for use in the context of information security control of the organization. ISO 27001 Certification enables Interoute to demonstrate a safety control environment of robust information to manage safety and reduce the risk of consistent information in its activities.

Control Areas of ISO 27001:

Information Security Policy: The organization offers a full range of ISO 27001 Policies that define the security management principles in all our activities , and enabled us to obtain ISO 27001 certification for our certification Operations Centre and the ISO 27001 or national equivalent for data center operations in Amsterdam , Berlin, Geneva and Stockholm.

Asset Management: It maintains official inventories of information assets requiring protection by a comprehensive suite of policies, processes and security controls. These details all services and components platform, with pre – defined functional owners for maintenance, and are reviewed on an annual basis.

Physical and Environmental Security: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

Communication and Management: ISO 27001 security policies cover the correct and secure operation of information processing facilities to protect and maintain the integrity and availability of information and information processing facilities, minimizing the risk of system failure. These include safeguards, segregation of duties, and additional security solutions in both Interoute systems, available to customers based on the requirements.

Access Control: ISO 27001 security policies cover the logical and physical access controls, as well as features of specific products to protect critical information. Access to data and systems is based on the principle of least privilege with the rights granted are based on functional responsibilities. This is regularly reviewed to ensure compliance with safety, and includes specific indexing process for any non-compliance.

Development and Maintenance of Systems: It has integrated security at every stage of the system development life cycle with questions or nonconformities degenerated into safety and risk management for the review and sanitation.

If you’re just starting to implement ISO 27001 in your business, you’re probably in a dilemma about how many ISO 27001 documents you need to have and whether you should write certain policies and procedures or not.

Criteria for deciding what to ISO 27001 Document

Well, the first step is simple: you have to check if the ISO 27001 Certification requires a document. If the ISO 27001 document is mandatory, you have nothing to think about; you have to write it if you want to compliant this standard.

Here are some criteria that will help you:

Risks: You need to start by assessing the risks to see if such control is needed. If there is no risk, then you certainly will not need a document for this; If there is a risk, this does not mean you have to write a document, but at least you have solved the dilemma if control is needed or not.

Compliance: Sometimes it is possible to have a regulation or a contractual requirement to write a specific document; For example, a regulation could require writing the classification policy.

Size of business: Small businesses will tend to have fewer documents, so you should avoid writing a procedure for each small process; For example, if it is a multinational organization with 10,000 employees, write policies in which each of them has a couple of related procedures, and then for each procedure a couple of work instructions; This approach makes sense.

Importance: The more important a process or activity is, the more likely it is to write a policy or procedure to describe it; this is because you want to be sure that everyone understands how to perform this process or activity in order to avoid interruptions in their operations.

Number of people involved: The more people perform a process or activity, the more likely you are to document it; For example, if there are 100 people involved, it will be very difficult to explain verbally to all these people how to perform a particular process; It is much easier to write a procedure that explains everything in detail. On the other hand, if you are involved in five people, you can probably explain how the whole process works in a single meeting, so you do not need a written procedure. However, there is one exception: if there is only one person working on a trial, you may want to document it because no one else knows how to do it, so if this person is no longer available, you can continue with your operations.

Complexity: The more complex the process, the more likely a written document is needed (at least in the form of a checklist); it is simply impossible to remember from memory

Maturity: If a process or activity is clearly established, if it has been performed for years and everyone knows exactly how to do it, if it has been developed, it is probably not necessary to document it.

Frequency: If you do some activities rarely, you can write them because you can forget how they are done.