Being one of the most rigorous standards, ISO 27001, is a true information security management framework that seeks to help organisations mature towards high levels of performance. Achieving the standard can, however, be daunting for many organisations since the level of detail required and the need for continual refinement can be challenging.
Sapphire’s experts have experience working inside complex security environments, helping manage the network of controls necessary to audit, assess and achieve ISO 27001 status while balancing organisational priorities.
We can help you to achieve ISO 27001 compliance or certification with a framework that takes a holistic view of risks to deliver effective cyber security, manage information in a secure manner, respond effectively when incidents occur, and mature strategies over time.
Our services are delivered by a team that uses a phased approach, honed with 25 years of experience, to understand the current state, assess risk, chart improvements, train and educate teams and streamline and de-risk the submission process.
We leverage a team of ISO 27001 consultants with experience understanding and managing security in a business context to prioritise the approach and bring focus while maximising human and technical assets.
ISO 27001 is the leading international standard for information security management systems. This well-proven framework outlines how an organisation can understand and mitigate their cyber risk, protect business data, apply controls and gradually improve posture over time. For those who are compliant, it is a sign of confidence for stakeholders and customers.
ISO 27001 certification process involves an in-depth audit by the certifying body, as well as follow-up assessments. For an organisation to receive certification to ISO 27001 requirements, it is a thorough process that also requires the involvement of internal and external stakeholders. For this reason, prior to applying for certification, it is advisable to ensure the maturity of your strategy prior to applying to be audited.
Sapphire specialises in the delivery of either ISO 27001:2013 compliance or to achieve third party ISO 27001 Certification. Each programme is typically divided into a number of discrete phases.
a) Information Security Management System (ISMS) Scope
This phase clearly defines the scope of the ISMS. This is an organisational decision. A scope Statement is produced which details the departments and business units to be covered.
b) ISO 27001 Current State Gap Analysis
The initial gap analysis will review several areas of the business and benchmark current information security processes and procedures against the industry standard. The main output of this stage is a Current State Analysis, which is a document detailing the current state of the organisation against ISO 27002’s 114 security control objectives. This is then used to develop a Security Improvement Plan to identify next steps.
c) Risk Assessment and Risk Management
Any risk assessments that have been previously conducted by the organisation will be reviewed. A Risk Assessment Methodology Policy document will be produced detailing the risk process and plans. The results of the existing risk assessment process, as well as the results from the Gap Analysis, will then be put into a security improvement plan.
d) Security Improvement Plan
The Security Improvement Plan twill be translated into an Information Security Management System (ISMS). The ISMS will typically comprise of the policy, manual and procedures used to identify the rules and guidelines needed to protect information assets and prevent security breaches.
e) Information Security Awareness Education and Training
The provision of information security awareness training relating to ISO 27001 for specified groups e.g. senior management; technical training; and general staff training to selected ‘IS co-ordinators’ (skills transfer) to develop an effective Information Security Culture based upon ‘shared responsibility’.
f) ISO 27001 Mock Compliance
The ISMS document set will be reviewed to ensure it is complete and meets the requirements of ISO 27001:2013. An ISO 27001 readiness review and mock-assessments will then be conducted to determine that you are ready in all respects to proceed to compliance or indeed certification.
g) ISO 27001 Certification
Should the organisation want to complete the process to ISO 27001 certification, an independent accredited certification body will carry out a final audit and award certification.
Given the rigour required to pass ISO 27001, it is a sign that an organisation has a high level of cyber risk maturity. It is also required as a compliance baseline in many industries.
This depends on a number of variables. It can be anywhere between 6 – 8 months for small organisations and between 12 – 18 months for larger enterprises.