What is a ISO 27001 ISMS?

ISO/IEC 27001 is the international standard for information security management. It outlines how to put in place an independently assessed and certified information security management system. This allows you to more effectively secure all financial and confidential data, so minimizing the likelihood of it being accessed illegally or without permission.

With ISO/IEC 27001 you can demonstrate commitment and compliance to global best practice, proving to customers, suppliers and stakeholders that security is paramount to the way you operate. 

ISO 27001 provides requirement for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

Applicability

ISO 27001 is something that is not applicable to the IT industry only. Very often, companies that are not very obvious candidates for ISO 27001 are also implementing it – for example, pharmaceutical companies, health organizations, government bodies, etc.

And this is what ISO 27001 is all about: it provides the methodology for companies to find out which potential incidents could happen to them (i.e., risks), and then define procedures on how to change employee behavior in order to prevent such incidents from happening.

Why are many non-IT companies interested in ISO 27001? Because, believe it or not, IT is not the key element in protecting information. In most cases, the companies already have all the technology in place – e.g., firewalls, antiviruses, backups, etc. However, they still have data breaches because this technology is not enough. This is because the employees do not know how to use that technology in a secure way, but more importantly – the technology is very limited when it comes to stopping an insider attack, so obviously something else needs to be deployed.

Objective

The objectives of ISO 27001 standards are: 

  • Identify risks and put controls in place to manage or eliminate them
  • Flexibility to adapt controls to all or selected areas of your business
  • Gain stakeholder and customer trust that their data is protected 
  • Demonstrate compliance and gain status as preferred supplier
  • Meet more tender expectations by demonstrating compliance

Approach

Our approach has been covered in a 5-phase format. These include: 

Phase 1: Understand Business Process
Understanding the environment and management’s expectations along with the policies and procedures.

Phase 2: Identify Risks and Controls
Identify target processes and understand the process flow, risk, information assets and controls pertaining to processes. 

Phase 3: Controls Design Testing
Identify controls based of 27001 and prepare the issue and opportunity registers, test the control design and identify deficiencies. Prepare risk mitigation plan and calculate the residual risks.

Phase 4: Controls Evaluation
Perform internal audit and identify the control weaknesses and impact of deficiencies. 

Phase 5: Certification
Invite certification agency for the certification audit

    Why CyberSRC®?

    Established in January 2018, CyberSRC® Consultancy offers the full machination of cyber security services ranging from threat intelligence, VMS to general advisory services in areas pertaining to Cyber security such as vulnerability attacks, compliance, and cyber security regulations, and laws. We are into system audits such as ISNP Audits, NBFC Audits, UCB Audits, PPI Audits, and SEBI Audits. We provide our solutions with better accountability. We are a certified assurance firm. We are an ISO 27001 certified organization, backed by a very diverse and dynamic team.