ISO 27001 SERVICES
Whatever the reason you need to achieve certification to ISO27001, it can be a challenge. ISO 27001 becomes part of the fabric of the organisation and needs looking after throughout the certification cycles.
LRQA Nettitude understands that businesses have their strengths and weaknesses and so have developed a modular approach to supporting businesses in achieving full certification.
Why Choose LRQA Nettitude for ISO 27001 Consulting?
Traditional approaches to certification often apply a ‘one size fits all’ that often doesn’t align to how you work or what your strategic objectives are. ISO 27001 standards must live and breathe within the organisation, not be pulled out of a filing cabinet every 6 or 12 months to simply tick a box.
LRQA Nettitude’s experienced Consultants, who are Lead Auditors themselves, will provide a real-world perspective on implementing ISO 27001, to align this to your business objectives. With this approach, the route to certification is broken into components that ensure that you are in control of where you want your resources to be used.
In making these informed choices, you’ll select only the elements you need assistance with.
LRQA Nettitude is entirely agnostic to the certification of your choice. We only advise that the certification body you choose is UKAS accredited to provide the greatest value for your investment.
Each accredited certification body will conduct the body of their audit activities similarly. At LRQA Nettitude, our proven methods and implementation guidance satisfy the standard, whomever it is performing the assessment.
ISO 27001 Gap Analysis
Organisations that have not yet started their journey, or are some way through, sometimes struggle to determine how far through they are and when they should schedule their certification audit. A Gap Analysis will give a point in time assessment so assist with planning or identify where further assistance is needed.
Why might I need this?
You are implementing ISO 27001 and want to understand your current status.
What do you get?
The LRQA Nettitude Gap Analysis combines the following three items:
- Management Workshop
- Information Security Management System (ISMS) Review
- Security Control Review
You can find out about each of those elements below.
ISO 27001 Management Workshop
Management commitment is built into the very fabric of the standard, and the audit process will include this when the time comes. Top management will have stakes in sales, finance, operations and other subjects, and this is the time to include security.
Historically, facets of security have been kept separated and disjointed to such a degree that it isn’t always observed and it can be quite easy to omit some elements along the way.
Why might I need this?
You know you want to achieve certification, but you don’t necessarily know the extent of how much your people will be involved and from which parts of the organisation they will be sourced. You may not have appreciated the process that you have to go through and how you would even describe this on paper.
Who is involved?
- Top-level management
- Decision-makers
- Risk owners
What will our experience be?
In this session, we make clear the responsibilities of top management within this process, describing how certification works, explaining the standard to facilitate smart activities and objectives. If the scope of the certification is not yet defined, this will be determined through interactive dialogue. You may even find at this point that the certification isn’t the right thing for you.
What do you get?
- At the end of the session you will receive the presentation seen during the session.
- Scope of Certification document to fulfil Clause 4.
- Homework
Information Security Management System (ISMS) Review
The ISMS is the combination of people, processes and technologies that comprise your certification. This review will focus on the core clauses of the standard that provide the management framework, and determine the level of compliance with the clauses, providing the dry run of the certification process.
Why might I need this?
You need to understand how much work is remaining on your journey to certification, or check that what you have done so far meets with the certification requirements. It will also give you the opportunity to develop your business activities to achieve certification and allow business as usual to meet the requirements..
Who is involved?
- Top-level managers
- Risk management
- The ISMS manager
- Those persons responsible for items within Clauses 4 to 10 inclusive.
What will our experience be?
Our Consultants will use a combination of interviews, observation and documentation review to report on the compliance of your system against the standard. They will use their experience to suggest improvement opportunities and where there are instances of non-conformity, provide support on addressing them in the form of your roadmap.
What do you get?
- A qualitative report describing the compliance of your ISMS against ISO 27001
- A roadmap with activities targeted to achieve your aims for certification
Risk Management
This is the keystone of the certification and is an essential part of clauses 6 and 8. Without a risk management program in place which identifies appropriate asset under the control of your ISMS, you cannot certify. In conjunction with your LRQA Nettitude consultant, a risk management system incorporating the requirements of the standard will be developed which fits your organisation both in terms of size and complexity; this will incorporate into your ISMS and provide the necessary business processes to run the system.
Why might I need this?
You haven’t got a risk management methodology yet, or the one you have doesn’t operate in the terms required by ISO 27001.
Who is involved?
- Risk Managers
- Risk Owners
What will our experience be?
The Consultant will either look at your existing risk management framework and work with you to adjust it to meet the requirement of ISO 27001, or develop an appropriate set of risk registers with you. They will help you to determine information assets and assess them based on an agreed methodology.
What do you get?
- Confirmation that your risk methodology achieves the requirement for ISO 27001 OR a risk methodology tailored to your organisation.
- Confirmation of a risk register achieving the requirements for ISO 27001; OR an updatable risk register to use and complete ready for assessment.
Security Control Review
LRQA Nettitude consultants will use a combination of substantive and compliance methods to assess your security controls against the ISO 27001 Annex A Controls (see below). Where the scope of the certification is not yet known, this will look across your entire organisation to provide you with an indication of your security posture and risk levels. It will also provide you with the ability to create SMART activities/objectives to address those risks. Your consultant may also recommend an alternative to ISO 27001 depending upon the findings within the organisation.
The chances are you have already got technical and operational security measures in place. A lot of ISO 27001 is about ensuring you operate the security in the way you are describing i.e. walking the walk. LRQA Nettitude consultants have strong experience in the governance and risk of 27001 but also the technical experience of security technology deployment and review.
Why might I need this?
You want assurance that the technical controls implemented, and the policies and procedures around them, provide good security controls within your organisation. This can be used a standalone service if you wanted an independent review conducting.
Who is involved?
A sample of the following (where applicable) are usually involved in this activity:
- Operational Management and Teams
- Human Resources
- Vendor Management
- Networking and IT Teams
- Development Functions
What will our experience be?
LRQA Nettitude Consultants will use a combination of substantive and compliance assessment methods to assess your security controls against the ISO 27001 Annex A Controls. Where the scope of the certification is not yet known, this will look across your entire organisation to provide you with an indication of your security posture. It will also provide you with the ability to create SMART activities/objectives to address any findings or to make improvements.
What do you get?
A qualitative report describing the observations of people, process and technology and how well the security controls are operating.
Summation of your security posture and risk levels. It will also provide you with the ability to create SMART activities/objectives to address those risks. Your consultant may also recommend an alternative to ISO 27001 depending upon the findings within the organisation.
Third-Party Risk Service
The advent of Cloud Services, increased outsourcing, and lean operations have resulted in activities being outsourced to a third party, or utilising resources from third parties to some degree. ISO 27001 requires that when this happens, those third parties be subject to security controls but sometimes you don’t have the expertise or time to perform such reviews.
Why might I need this?
You don’t have the resource or expertise to conduct security due-diligence on the third parties that form your management system.
Who is involved?
- Risk Owner/Service Delivery Managers
- Third Parties
What will our experience be?
LRQA Nettitude will work with you to determine how you want to assess the security of your third parties and understand your risk appetite. We will configure a questionnaire that matches your needs and request this be completed by your third party. Upon receipt of this, we will review and identify potential risk and determine if any further review or onsite observation is required before providing a final risk summary for onward remediation or risk sign-off. This can be used for all or sparingly for your higher-risk third party arrangements.
What do you get?
- A tailored questionnaire profile for use within this service.
- A review and intermediate summary
- A final risk report aligning to your risk appetite for onward remediation or risk sign-off.
Internal Audit Service
The certification audits perform a core ISMS review and controls review but cannot go into depth given the time available. The standard compensates for this through the requirement for organisations to operate an internal audit program, otherwise called a first-party audit.
Why might I need this?
You don’t have the resources or experience to conduct internal audits of all aspects of the ISMS.
Who is involved?
- The ISMS
- Individuals across the organisation as determined through planning the programme.
What will our experience be?
The Consultant will need to be treated as an internal resource so they can access all people and have information made available to them. They will ensure that the system and processes providing security controls are being operated well and how they should be. Observations will be made and conversations held to capture information to produce audit reports which will be retained as evidence for the certification body.
What do you get?
For each audit activity, an audit report will be produced that is balanced to report the positive activities taking place and where areas need support. Internal audits do not have a pass or fail as they do not have a criterion of that nature. Where non-conformity is found, this will be collated into discrete non-conformity references for resolution using the appropriate procedure within the organisation.
Integration Workshop
Business requirements and your operating sector may demand certifications in order to remain competitive and viable. Holding multiple certifications can be challenging and sometimes keeping them all running simultaneously can be difficult.
Why might I need this?
You may be operating multiple ISO certifications (ISO 9001 Quality, ISO14001 Environmental and ISO 22301 BCM) and want to benefit from integrating these together as commonly structured management systems and streamline activities where possibly. This can include non-ISO compliance such as PCI DSS or the NIS Directive.
Who is involved?
- ISMS Manager/Compliance Manager
- Compliance Teams
- Audit Teams
What will our experience be?
The Consultant will review each of the compliance regimes you operate and identify how each can benefit the other, whether through rationalisation of documentations, or increased cross-assurance activities.
What do you get?
The Consultant will produce a set of recommendations on how you can align the different management systems and compliance regimes across your organisation in a practical way to result in stronger assurances, greater repurposing of your management systems and/or lower effort to manage.
Certification Support and Chaperone
The evolution of businesses can result in changes to the workforce, changes in a strategic direction and changes to structure. During those time of change, whether growth or rationalising, it is assuring to know that you have a LRQA Nettitude consultant available to ensure that the company certification is being maintained as per the standard and continuing to benefit the organisation.
Why might I need this?
- You may be struggling to find a permanent resource that meets your needs to support your ISMS without blowing your staff budget or isn’t a full-time role within your organisation.
- You may want to have that subject matter expert to be available to you when queries arise internally or externally.
Who is involved?
- ISMS Manager/Compliance Manager
What will our experience be?
This is entirely tailored to your needs and may include chairing your management reviews, helping review your risk management program, having an opinion
Policy and Documentation Support
Policy and Documentation Management
You may find that keeping an eye on all of your policies and giving them the maintenance they deserve is time-consuming and you need some help.
Why might I need this?
- You may be struggling to find a permanent resource that meets your needs to support your ISMS without blowing your staff budget or without appointing a full-time role within your organisation.
- You may want to have that subject matter expert to be available to you when queries arise internally or externally.
- You may also find that you don’t have the experience or knowledge to produce policies for your organisation and need some support.
Who is involved?
- ISMS Manager/Compliance Manager
- Affected areas around the business
- HR Representatives
What will our experience be?
Whether onsite or remote, the consultant will confirm the base template for your policy documentation and work with you to identify and produce the policy documents for your final review and sign off into your organisation. Where these documents already exist, they will be able to complete their periodic reviews as per your chosen review interval.
General Enquiry