The implementation of the ISO 27001:2013 standard starts with identifying, designing, developing and launching the Information Security Management System. Once implemented and operational, the ISMS manages information security using the governance and management processes comprised in the management system.
The mandatory management requirements and its accompanying 114 controls across 14 domains of the ISO 27001:2013 standard is designed to create value to an organization and build an enterprise capability to optimize business risk, resources and realizing benefits to the business.
ISO 27001 standard uses a four-phase approach to establishing an ISMS called the Plan-Do-Check-Act (PDCA) model. In paraphrase, the PDCA phases address how to establish policy, objectives, processes, and procedures relevant to managing risk (plan phase); implement and operate (do phase); assess and, where applicable, measure process performance against policy (check phase); and take corrective and preventative action (act phase).
Benefits of Implementing ISO 27001:2013
By building your information security system around ISO 27001:2013 ISMS, your organisation will be able to reap numerous benefits such as:
- Keeps confidential information secure
- Provides customers and stakeholders with confidence in how you manage risk
- Allows for secure exchange of information
- Allows you to ensure you are meeting your legal obligations
- Helps you to comply with other regulations
- Provide you with a competitive advantage
- Enhanced customer satisfaction that improves client retention
- Consistency in the delivery of your service or product
- Manages and minimises risk exposure
- Builds a culture of security
- Protects the company, assets, shareholders and directors
Our Approach and Methodology
Step 1: Information Security controls GAP Analysis – We will do audits around your information systems against standard requirements for GAP Assessment. These activities will enable us to identify relevant security controls implemented and that not in place. We will also assess the level of maturity of control status using the CMMI (Capability Maturity Model Integration) methodology on a scale of 0 to 5 maturity level.
- 0 = Non-existence
- 1 = Initial
- 2 = Managed
- 3 = Defined
- 4 = Quantitatively Managed
- 5 =Optimised
At the end of the Control GAP Assessment, a GAP Assessment Report will be produced. This report will present an overview of existing status in relation to security best practice. The short term objective of these reports is to promote the implementation of corrective and preventive measures for assets with a high risk potential. In the long run, the reporting template will keep track of planned measures and the variance analysis carried out emphasizing the implemented continuous improvement.
Step 2: Establish a road map for the closure of Gaps for the 114 applicable controls of the ISMS – For each applicable control, Current maturity and target maturity will be given in addition to recommendations to move the current maturity to the target maturity status. A RACI chart for each control will be defined and responsible Process Owners will see to the implementation of approved improvements. The existing Risk Management process will be assessed against Information Security standard. Recommendation will be given where deficiencies are found.
Step 3: Implement the road-map for the closure of Gaps for the 114 applicable controls of the ISMS – Each Process Owners will be mentored and walked-through the implementation of the various applicable controls. Risk Assessment and Risk treatment process for risks specific to Information security will be done with appropriate Risk management department or individual(s) saddled with the task of Risk Management.
We will recommend a number of specific training for specific stakeholder and process owners. Providing process owners the necessary training and guidance to manage their processes.
Step 4: This phase will review the readiness of the client to achieve ISO 27001 certification. We will guide and prepare the client’s audit team to conduct internal audits. The audit results will be evaluated and gaps, if found will be closed by your implementation team.
Step 5: Finally, you will face the certification body’s team of auditors. Astralcode consultants will hand hold your team during the audit. We will assist you in the closure of any nonconformities or observations noted by the external auditors and help you in achieving the ISO 27001 certification.