Every day we hear from organizations who need to know if they're 27001 compliant or what they need to do to become compliant. The ISO 27001 standard provides a well-rounded assessment to prove you have an effective information security management system (ISMS). Unlike other standards, such as NIST, you can become certified as 27001 compliant. Because of this, many organizations are using ISO 27001 to show that they're making real efforts to keep their critical data secure. Achieving certification is not an easy task. NuHarbor can provide you with everything you need to reach certification or deliver the assessments to actually become certified. If you're serious about protecting your data, you should be looking at ISO 27001.
What Is ISO 27001?
ISO 27001 is a set of security standards published by the International Organization for Standardization (ISO) which helps organizations develop and manage an ISMS. ISO 27001 is a flexible and scalable set of standards that can be adapted for a wide range of industries and company sizes. The standard is great for organizations that aren't in highly regulated industries with their own security standards (e.g., PCI DSS or NIST 800-53), and allows an organization to successfully implement an effective ISMS that fits their needs and budget. Still not convinced that ISO 27001 will bring value to your organization? Here are seven reasons why ISO 27001 will improve your information security program.
ISO 27001 ISMS Implementation Process
NuHarbor uses a seven-phase approach to guide organizations in implementing an ISO 27001 ISMS.
Phase 1: Preparation and Pre-Work
The amount of work needed for the first phase of an ISMS Implementation depends on the goals, scope, and priorities of the implementation. NuHarbor will partner with your team to identify and prioritize the objectives and stakeholder commitment, develop asset inventories, and assist in scoping your environment. This phase ensures the rest of the implementation goes smoothly and everyone is on the same page.
Phase 2: Gap Assessment
During this phase, NuHarbor will work with your organization to identify gaps in your current security practices by assessing the implementation of ISO 27001 Annex A controls. NuHarbor will then compile a report with the identified gaps which will be the foundation for the risk assessment in the next phase.
Phase 3: Risk Assessment
Using the identified gaps, NuHarbor will assess the risk in the context of your business, determining how gaps can impact critical assets and recognizing how these gaps may impact strategic goals and objectives. This allows NuHarbor to prioritize risks that are most relevant to your organization.
Phase 4: Risk Treatment Plan
In Phase four, you'll partner with NuHarbor to determine which risks identified in the third phase to accept, avoid, transfer, or mitigate to an acceptable level using information security controls. These decisions will be compiled into a risk treatment plan that will be used to manage these risks.
Phase 5: Information Security Risk Management
NuHarbor will assist your organization in putting the risk treatment plan into play to manage any risks identified. Whether you transfer the risk via insurance policies or implement security controls, NuHarbor is here to assist you in correctly implementing and verifying the remediation plan.
Phase 6: Audit Preparation
Although not required, pursuing an ISO 27001 certification can prove to your clients and business partners that your organization takes information security seriously and has met widely accepted standards for security professionals. If your organization chooses to pursue a certification, NuHarbor can help with conducting a readiness review and double-checking that all documentation is complete and in place.
Phase 7: ISO 27001 Certification
If your goal is to be ISO 27001 certified, there are two paths to certification that NuHarbor can help you navigate. Down the first path, NuHarbor will helps you build your program, using phases one, three, four, five, and six. This approach works well for organizations that don't have the time, expertise, or resources to prepare for the certification. In this case, you would need to use a third party assessor to complete the certification, as we can't certify our own work.
The second path is self-driven. You will build your program, possibly with another third party, and NuHarbor would provide assessments along the way including the gap assessment, phase one audit (i.e., practice run), and phase two audit and certification.
Whichever route you choose, NuHarbor's goal is to help you reach certification and be more secure.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.