ISO 27001 SERVICES
Implementing the ISO 27001 standard is a challenge to any organisation. The requirement to become certified to any standard is often driven through contractual obligation, regulatory requirement or simply being the right thing to do for organisation; in nearly all occasions it can seem a daunting process and can be difficult to evaluate.
For those wanting to understand their current security posture, the range of products below can be used to baseline your maturity level and help you evolve your information security strategy moving; this is true even if you don’t want to pursue the full certification.
Why Choose Nettitude?Traditional approaches to certification often apply a “one size fits all” that doesn’t quite fit what you really want, nor does it fully align to your strategic objectives. These “GAP analysis exercises” often miss crucial components of the certification, such as:
- What is your scope?
- What is the driver for certification?
- Is an alternative more suitable?
Once Nettitude has helped you reach ISO 27001 compliance, we can then assist you with setting up the regular ISO 27001 audit process with our parent company Lloyd’s Register, who have extensive experience and deep technical expertise in delivering this. Learn more about Lloyd’s Register’s ISO 27001 audit services here.
What Version is ISO 27001 at and How Might That Affect Me?
ISO 27001 2013 is the current version and the second iteration. It is aligned to the ISO’s Annex SL standards specification which describes the structure of future standards. Nettitude recognises this harmonisation by the ISO/IEC, especially for those holding any of the following:
- SO 9001:2015 – Quality Management
- SO 14001:2015 – Environmental Management
- SO 22301:2012 – Business Continuity Management
Where you have transitioned to any of the above, you are already ahead. If you’ve yet to make the move, the information you get from us will place you in a strong position to transition your other certifications sooner and build on the value you’ve gained from Nettitude.
By breaking down the certification into the following Base Activities (BAs), you can select as many or as few as you need, in the time you want them. We will support you all the way. Nettitude is completely agnostic to the certification body you choose, our products will successfully support you on your journey whoever completes the certification assessment.
BA1 – ISO27001 Management Workshop
Getting started is often the most challenging step, usually through a misunderstanding of the ISO 27001 standard and its purpose. This workshop is for top-level management, decision-makers, and risk owners. We spend the day demystifying the standard into smart activities and objectives, which can be incorporated into either a project or within business as usual activities. It will make the standard accessible and sow the seeds for engaging the rest of the organisation. For those running alternative security or compliance regimes such as PCI DSS, it will demonstrate how the work you are already doing can be incorporated into your ISO 27001 ISMS for quick wins.
BA2 – Information Security Management System (ISMS) Review
This review is aimed at the elements of the standard which form the core requirements and is focused at top management, decision makers and risk owners. It will evaluate how compliant you are with clauses 4 to 10 and provide you with a roadmap to achieving full compliance. Your roadmap will be tailored to your organisation and objectives, so that the scope of your ISMS meets your strategy.
BA3 – Risk Management
Risk Management is at the heart of ISO/IC27001:2013. In conjunction with your Nettitude consultant, a risk management system incorporating the requirements of the standard will be developed which fits your organisation both in terms of size and complexity; this will incorporate into your ISMS and providing the necessary business processes to run the system.
BA4 – Security Control Review
Nettitude consultants will use a combination of substantive and compliance methods to assess your security controls against the ISO 27001 Annex A Controls (see below). Where the scope of the certification is not yet known, this will look across your entire organisation to provide you with an indication of your security posture and risk levels. It will also provide you with the ability to create SMART activities/objectives to address those risks. Your consultant may also recommend an alternative to ISO 27001 depending upon the findings within the organisation.
BA5 – Third-Party Risk Service
The ISO 27001 revision in 2013 increased the level of controls required when working with third parties. Nettitude’s consultants will work with you to determine your Risk Levels (RLs) and design an assessment process to harvest and manage the RLs from each third-party. Whether you hold the certificate yet or not, Nettitude can support you in this area by completing those risk assessments on your behalf.
BA6 – Internal Audit Service
Your organisation may not initially have the time or resources to fulfil the requirements of Internal Audits. Nettitude can develop and deliver an internal audit programme to meet the requirements of the standard and more importantly grow your ISMS and security posture. As your familiarity with the standard and processes improve, you may choose to bring this in house or simply retain Nettitude to deliver this core element of the standard on your behalf.
The Nettitude Approach
Nettitude has developed a working methodology called PIE FARM to help you maximise the benefits of our engagement and ensure all deliverables support your corporate goals and objectives.
This seven-stage approach is applied to all the solutions offered by the Governance, Risk and Compliance (GRC) team and directly relates to the requirement and needs within everyone’s approach to compliance or governance.
The following diagram shows the 7 stages of PIE FARM and where each Base Activity falls within the methodology:
Choosing Your Base Activities
Nettitude is ready to assist you at all stages and have compiled the following table providing a number of scenarios and suggested base activities we can provide: