IS27001 Implementation and Audit
Primary Reasons
-
Improve customer Trust by assuring compliance with industry standard framework requirements​
-
Improve marketing edge (image and credibility) by attaining certification to ISO 27001​
-
Reduce impact related to information security incidents​
-
Improve internal organization by better defining responsibilities and duties
Secondary Reasons
-
Integrate information security with business process for better alignment​
-
Improve decisions based on data from the information security management system​
-
Create a culture of continual improvement of the information security​
-
Improve employee, and other interested parties' engagement in information security management
Controls
-
Information security policies​
-
Organization of information security​
-
Human resource security​
-
Asset management​
-
Access control​
-
Cryptography​
-
Physical and environmental security
-
Communications security​
-
System acquisition, development and maintenance​
-
Supplier relationships​
-
Information security incident management​
-
Information security aspects of business continuity management
Process
Initiation
Planning ISMS framework
Risk assessment
Implementation
Internal Audit
Management Review
Corrective Actions
Certification Audit
Continual Improvement Setup
Deliverables​
-
ISMS General requirements documents and statement of applicability​
-
Develop ISMS related documents defined by the organization (e.g., documents for security controls, Policy and Procedures)​
-
Definition of risk assessment methodology and organization’s risk profile​
-
Measurement, analysis, and improvement processes
Purpose
-
Defining the ISMS framework based on the context ​
-
Identifying the current risk scenario​
-
Selecting and implementing proper security controls​
-
Providing proper awareness, training, and education to the users​
-
Providing relevant information to management for the first critical review of the ISMS for continual improvement​
-
Selecting the proper certification body to certify the system