ISO 27001 CERTIFICATION & AUDIT SERVICES
Implementing the ISO 27001 standard is a challenge to any organisation. The requirement to become certified to any standard is often driven through contractual obligation, regulatory requirement or simply being the right thing to do for the organisation. In most scenarios, ensuring ISO 27001 compliance can seem like a daunting process.
For those wanting to understand their current security posture, the range of products below can be used to baseline your maturity level and help you evolve your information security strategy moving; this holds true even if you don’t want to pursue the full ISO 27001 certification.
Why Choose Nettitude?
Traditional approaches to ISO 27001 certification often apply a “one size fits all” approach that doesn’t quite achieve what you really want,or fully align with your strategic objectives. These “GAP analysis exercises” often miss crucial components of the certification, such as:
- Your scope
- Your driver for certification
- More suitable alternatives
Nettitude’s experienced consultants, who are Lead Auditors themselves, will provide a real-world perspective on implementing ISO/IEC 27001 using Nettitude’s proven methodology to align this with your business objectives. With this approach, the route to certification is broken down into manageable elements which ensure that you’re in control of where you want your resources to be allocated. In making these informed choices, you’ll select only the elements you need assistance with and want to evaluate.
Frequently Asked Questions About ISO 27001 Certification
What version is ISO 27001 at, and how might that affect me?
ISO 27001 2013 is the current version and the second iteration. It is aligned to the ISO’s Annex SL standards specification, which describes the structure of future standards. Nettitude recognises this harmonisation by the ISO/IEC, especially for those holding any of the following:
- SO 9001:2015 – Quality Management
- SO 14001:2015 – Environmental Management
- SO 22301:2012 – Business Continuity Management
If you have transitioned to any of the above, you are already ahead. If you’ve yet to make a move, the information you get from us will place you in a strong position to transition your other certifications sooner and build on the value you’ve gained from Nettitude.
By breaking down the certification into the following Base Activities (BAs), you can select as many or as few as you need in the time you want them. We will support you all the way. Nettitude is completely agnostic to the certification body you choose – our products will successfully support you on your journey regardless of who you choose to complete the certification assessment.
What are the steps in pursuing ISO 27001 certification?
BA1 – ISO27001 Management Workshop
Getting started is often the most challenging step, usually due to a misunderstanding of the requirements and purpose of the ISO 27001 standard. This workshop is for top-level management, decision-makers, and risk owners. We spend the day demystifying the standard into smart activities and objectives, which can be incorporated into either a project or within the business as usual activities. It will make the standard accessible and sow the seeds for engaging the rest of the organisation. For those running alternative security or compliance regimes such as PCI DSS, it will demonstrate how the work you are already doing can be incorporated into your ISO 27001 ISMS for quick wins.
BA2 – Information Security Management System (ISMS) Review
This review is aimed at the elements of the standard which form the core requirements and is focused at top management, decision makers and risk owners. It will evaluate how compliant you are with clauses 4 to 10 and provide you with a roadmap to achieving full compliance. Your roadmap will be tailored to your organisation and objectives so that the scope of your ISMS meets your strategy.
BA3 – Risk Management
Risk Management is at the heart of ISO/IC27001:2013. In conjunction with your Nettitude consultant, a risk management system incorporating the requirements of the standard will be developed which fits your organisation both in terms of size and complexity; this will incorporate into your ISMS and providing the necessary business processes to run the system.
BA4 – Security Control Review
Nettitude consultants will use a combination of substantive and compliance methods to assess your security controls against the ISO 27001 Annex A Controls (see below). Where the scope of the certification is not yet known, this will look across your entire organisation to provide you with an indication of your security posture and risk levels. It will also provide you with the ability to create SMART activities/objectives to address those risks. Your consultant may also recommend an alternative to ISO 27001 depending upon the findings within the organisation.
BA5 – Third-Party Risk Service
The ISO 27001 revision in 2013 increased the level of controls required when working with third parties. Nettitude’s consultants will work with you to determine your Risk Levels (RLs) and design an assessment process to harvest and manage the RLs from each third party. Whether you hold the certificate yet or not, Nettitude can support you in this area by completing those risk assessments on your behalf.
BA6 – Internal Audit Service
Your organisation may not initially have the time or resources to fulfil the requirements of Internal Audits. Nettitude can develop and deliver an internal audit programme to meet the requirements of the standard and more importantly grow your ISMS and security posture. As you get more familiar with the standard and processes, you may choose to bring this in-house or simply retain Nettitude to deliver this core element of the standard on your behalf.
What are the base activities that Nettitude can provide?
Nettitude is ready to assist you at all stages. We have compiled the following table with a number of scenarios and suggested base activities we can provide:
Frequently Asked Questions About Healthcare Cybersecurity
What does penetration testing involve?
In penetration testing for healthcare organisations, our experts simulate a hacking environment to identify any vulnerabilities within your system. Ethical hackers will penetrate the healthcare system like a threat actor would, but leave your data intact. They will create a report of these vulnerabilities and offer advice on how to eliminate them so your data remains secure.
How do you create an effective cybersecurity strategy for a healthcare organisation?
To create an effective healthcare cybersecurity framework, Nettitude recommends first identifying what your aims are and what you are trying to protect. This will determine your strategy. Then, you can decide on a framework from three broad types: control, programme, and risk frameworks. From here you can define your risk assessment goals and implement security controls. Our experts at Nettitude can assist you with this process.
What is the biggest risk in healthcare cybersecurity?
One of the biggest risks in healthcare cybersecurity is Internet of Things (IoT) devices. The internet-connected implements are vital to many hospital and healthcare functions, so much so that they have their own term: Internet of Medical Things (IoMT). These often centralise data collections for easy access, so when these are hacked, it can be very damaging. You can increase your IoMT security by educating your staff, monitoring the network, using VLANs, and devices that meet certified IoT standards.
Get a free quote