Who Needs ISO 27001?
Every day we hear from organizations being asked if they are 27001 compliant and what they need to do to become compliant. The ISO 27001 standard provides a very well-rounded assessment to prove you have an effective information security management system (ISMS). Unlike other standards, such as NIST, you can get certified as 27001 compliant and because of this, many organizations are using ISO 27001 to show that they are making real efforts to keep their critical data secure. Reaching certification is not an easy task. NuHarbor can provide you with everything you need to reach certification or provide you with the assessments to actually become certified. If you’re serious about protecting your data, you should be looking at ISO 27001.
What is ISO 27001?
ISO 27001 is a set of security standards published by the International Organization for Standardization that helps organizations develop and manage an Information Security Management System (ISMS). ISO 27001 is a scalable set of standards that can be adapted to a wide range of industries and sizes of companies due to its flexibility. The standard is great for organizations that are not highly regulated industries with their own security standards such as PCI DSS or NIST 800-53 and allows an organization to successfully implement an effective Information Security Management Standard that fits their needs (and budget). Still not convinced that ISO 27001 will bring value to your organization? Here are 7 reasons why ISO 27001 will improve your InfoSec program.
ISO 27001 ISMS Implementation Process
NuHarbor Security uses a 7-phase approach to guide organizations in implementing an ISO 27001 ISMS.
Phase 1: Preparation and Pre-Work
The amount of work needed for the first phase of an ISMS Implementation depends on the goals, scope, and priorities of the implementation. NuHarbor will partner with your organization and team to identify and prioritize the objectives, stakeholder commitment, develop asset inventories, and assist in scoping your environment. This phase ensures the rest of the implementation goes smoothly and everyone is on the same page.
Phase 2: Gap Assessment
During the Gap Assessment phase, NuHarbor will work with your organization to identify gaps in your current security practices by assessing the implementation of ISO 27001 Annex A controls. NuHarbor will then compile a report with the identified gaps and the gaps identified will be the foundation for the risk assessment in the next phase.
Phase 3: Risk Assessment
Using the identified gaps, NuHarbor will assess the risk in the context of your business, determining how gaps can impact critical assets as well as recognizing how these gaps may impact strategic goals and objectives. This allows NuHarbor to prioritize risks that are most relevant to your organization.
Phase 4: Risk Treatment Plan
In Phase 4, NuHarbor and your organization will determine which risks identified in the third phase to accept, avoid, transfer, or mitigate to an acceptable level to your organization using Information Security controls. These decisions will be compiled into a risk treatment plan that will be used to manage these risks.
Phase 5: Information Security Risk Management
NuHarbor will assist your organization in putting the risk treatment plan into play to manage any risks identified. Whether you transfer the risk via insurance policies or implement security controls, NuHarbor is here to assist you in correctly implementing and verifying the remediation started.
Phase 6: Audit Preparation
Although not required, pursuing an ISO 27001 certification is a great way to prove to your clients and business partners that your organization takes information security seriously and has met the standards of security professionals. If your organization chooses to pursue a certification, NuHarbor is here to help with conducting a readiness review and double-checking that all documentation is complete and in place.
Phase 7: ISO 27001 Certification
If your goal is to be ISO 27001 certified, there are two paths to certification that NuHarbor can help you navigate. The first path, NuHarbor helps you build your program, using phases 1,3,4,5, and 6. This approach works well for organizations that don’t have the time, expertise, or resources to prepare for the certification. If NuHarbor helps build your program, you would need to use a third party assessor to complete the certification (we can’t certify our own work.)
The second path is self-driven, with you building your program or using another organization to build your program, and NuHarbor providing assessments along the way including the gap assessment, phase 1 audit (practice run), and phase 2 audit and certification.
Whichever route you choose, NuHarbor’s goal is to help you reach certification and be more secure than before you started the process.
Want to learn more about ISO 27001? Check out our latest podcast episode talking about the ins and out of ISO, or just give us a call!
by: Jordan Kimball
Cybersecurity Marketing Intern at NuHarbor Security
Follow us on Social Media for more information: