What is ISO / IEC 27001?
ISO/IEC 27001:2013 is a globally recognized standard for managing information security-related risks. It specifies a set of standardized requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard provides the framework to manage confidentiality, availability and integrity of organizational assets such as financial data, intellectual property, employee details, customer confidential data or information entrusted by third parties. The ISO 27001 certifications is valid for three years, after which a reassessment audit is required to extend it for an additional three years.
Why should my organisation subscribe to the ISO 27001 Standard?
Like all other ISO Management Standards – ISO 27001 too is not obligatory. Having said that, many organizations are clueless about their key assets and how to protect them. ISO 27001 provides a framework for managing them in a way that is appropriate to the business. ISO 27001 helps organizations to treat data security seriously. And from your customer’s perspective, it will showcase your intent and seriousness in keeping their data safe. To add to that ISO 27001 standard inculcates corporate due diligence and gets you set up for meeting regulatory and contractual requirements w.r.t. data security, privacy, and IT governance.
Any organization that holds sensitive information is a candidate for ISO 27001 certification. Healthcare companies, finance, public, and IT/ ITES sectors can benefit greatly from a certified ISMS program.
ISO 27001 Implementation Roadmap
- Preparation: This stage is to set the vision and expectations to all the stakeholders. Since this program requires management oversight, its essential to have management buy-in and to nominate SPOC’s for verticals within service delivery as well as support teams. This also the time to identify all external stakeholders and applicable regulations.
- Documentation: In this stage, we get into the specifics of defining a Statement of Applicability (SoA), defining an Information Security Policy, conducting a Risk Assessment and documenting the findings in a risk register.
- STAGE 1 Audit: This stage is where an External Accredited Auditor evaluates the SoA, Information Security Policy, Risk Assessment reports and determines if you have a well-defined plan for ISMS implementation to achieve ISO 27001 certification.
- ISMS Implementation: On successful completion of STAGE 1 Audit, the ISMS implementation plan should be set to action. This stage requires for documentation of all workflows – policies and procedures, assignment of security related roles and responsibilities, determining KPIs and ensuring that an internal audit program has been defined in alignment with the risk assessment report.
- STAGE 2 Audit: The STAGE 2 Audit is critical and the most important step towards certification. In this stage, an External Accredited Auditor evaluates the controls implemented and reviews its effectiveness against the requirements of the ISO 27001 standard. The Auditor’s opinion of your organisation’s operating environment, management oversight, reporting structure, controls put in implementation and internal audit procedures determine if you are eligible for certification.
- Ongoing Maintenance & Audits: The work is not complete with certification. It is essential to maintain an ongoing compliance program to ensure that all controls are operating effectively, the internal audit program is able to identify process slippages and is able to independently report its findings to the Management.
ISO 27001 Consulting & Implementation Assistance
At Crossbow Labs, we have a team of ISO 27001 champions – this is a team that has worked on ISO 27001 compliance engagements from all stakeholder positions – from developing robust ISMS frameworks for large conglomerates, to developing vendor / third party specific ISMS frameworks, performing vendor audits, conducting third party due diligence assessments, performing back office assessments, conducting extensive risk assessments, functioning as an on premise (and on demand) Information Security Manager and as an internal ISMS auditor – we have seen the entire spectrum.
Based on our extensive work in the ISO 27001 space, we have fine-tuned the industry accepted approach of Plan – Do – Check – Act methodology for effective engagement and transition into the ISO 27001 mode of thinking. Our Approach towards ISO 27001 implementation is as follows
|Phase I: Scope Definition||Defining the scope of the ISO 27001 adoption program|
|Phase II: Gap Analysis||Identify the security control areas not addressed by the existing security controls framework|
|Phase III: Risk Assessment||Phase III: Risk Assessment|
|Phase IV: Selection of Controls||Identify the control objectives, which suit the particular business requirements of the organization|
|Phase V: Defining SoA||To prepare a comprehensive Statement of Applicability (SoA)|
|Phase VI: Developing ISMS||Development / review of structured Information Security Management System (ISMS) documentation framework|
|Phase VII: Implementation of ISMS||To implement the policy and procedures outlined in the organization’s ISMS|
|Phase VIII : Certification||To conduct mock audits and preparing the organisation for the certifying auditor|
Although these steps might seem complicated and costly at first, if executed properly can make your ISMS robust. The in-depth experience of our consultants at Crossbow Labs makes the entire certification process hassle-free for you.
ISO 27001 Training
ISO 27001 standard lays the foundation for a strong baseline Information Security model which make adoption to several other industry adopted standards and governmental regulations easier. We offer custom made information security awareness sessions and workshops to organisations based on the target audience and the industry vertical.
We hold regular trainings / public workshops on the following
- Information Security Awareness Session – Beginner’s Guide
- Information Security Awareness Session – Intermediate Level
- Information Security Awareness for Cloud Based Solutions – Crossbow Labs’ Cyber Security Assurance Program (CSAP)
- Securing Coding Practices