Working Together to Achieve Global Standards in Security: ISO 27001 Implementation
Client: ACME Employment Agency (anonymised to protect client confidentiality)
Sector: Consultancy – Business and People Strategy
Company Size: 100+ employees
ACME’s senior management was increasingly aware of the need to demonstrate the company’s adherence to industry standards. Their thinking was precipitated when a key client demanded ISO 27001 certification. We at Perspective Risk, prepared a plan for ACME to achieve ISO 27001 compliance in just four months.
Perspective Risk Core Services Provided:
- ISO 27001 Gap Analysis
- ISMS (Information Security Management System) Implementation Strategy and Assistance
- ISO 27001 External Audit Support
- ISO 27001 Annual Internal Audit
The ISO 27001:2013 standard goes beyond IT security and cyber security because it covers all types of information, not just digital data, making it one of the broadest information security standards to benchmark against. And it’s one of the most useful in practically applying security risk management controls.
Given their handling of sensitive employee data, ACME’s senior management was increasingly aware of the need to demonstrate the company’s adherence to industry standards. Their thinking was precipitated when a key client demanded ISO 27001 certification.
The ACME leadership team sought to fast-track their achievement of ISO. They were keen to understand how far the business was from the standard and the extent of the work involved.
After an in-depth consultation with senior operations staff, we created a bespoke plan of action to fulfil ACME’s ambition, to ‘Assess, Achieve and Maintain’ the certification. The plan included a gap analysis to benchmark ACME against ISO security standards and identify gaps in their security model.
We prepared an ‘Assess, Achieve and Maintain’ plan for ACME to achieve ISO 27001 compliance in just four months.
ISO 27001 ASSESS
Our comprehensive and tailored approach to assessing ACME’s gaps in security and ISO 27001 conformance included:
A review of ACME’s existing policies, processes and procedural documentation.
Face-to-face interviews with principal security and operations stakeholders.
Onsite surveillance of ACME’s processes and security controls.
A review of the evidence supporting conformance to ISO 27001 Clauses 4-10.
A deep-dive of their existing security technologies and line-of-business applications.
Benchmarking their current security controls against the ISMS standard.
Presented Executive Summary and strategic recommendations to inform prioritisation of remediation activities and assist senior leadership decisions.
Provision of a detailed report into ACME’s conformance to the ISO 27001 standard (Clauses 4-10) and its capabilities across selected controls (Annex A).
Focused, tactical recommendations made per control, across both Clauses and Annex A controls, to assist in the future closure of identified gaps in capability.
The onsite discovery assessment ensured that our GRC (Governance, Risk and Compliance) team collaborated transparently with ACME’s operational teams, identifying areas for improvement as well as strong existing security practices.
Our consultant kept ACME’s stakeholders informed of progress. Communications included highlighting high-risk areas in real-time, enabling the business to fix them as a priority. Where necessary, we assisted with the remediation.
ISO 27001 ACHIEVE
To support the achievement of ISO, our ISO consultant conducted checks the day before the audit and briefed ACME’s team. And at ACME’s request, we were present during the onsite certification audit.
Our knowledgeable consultant assisted the external auditor, which included discussing examples of security practices and managing corrective actions. Supporting continuous improvement is a critical requirement of ISO 27001.
Consequently, ACME passed their external certification audit with zero minor non-conformities or observations and achieved certification to ISO 27001:2013.
ISO 27001 MAINTAIN
With ISO 27001:2013 certification achieved, internal audit experience and resourcing was ACME’s next priority. As a proven safe pair of hands, we suggested the internal audit programme be outsourced to our qualified personnel and aligned to a quarterly schedule. This programme fitted with ACME’s business objectives and delivery timelines.
As part of this service, our ISO Team:
- Created an internal audit schedule to cover the 12-months before the next external surveillance / recertification audit.
- Conducts one-day onsite audits every quarter to review the selected controls in the internal audit schedule.
- Delivers formal reports for each onsite audit to provide documented evidence of the findings (conforming with ISO 27001:2013 Clause 9.2 g.).
- Attends ACME’s internal management reviews to discuss results and recommendations for corrective and preventative actions (complying with ISO 27001:2013 Clause 9.2 f.)
Results and Benefits
Our expert, objective internal auditing is proving highly beneficial, as it doesn’t impinge on ACME’s operational capacity. Internal audits are planned to minimise impact on business-as-usual and spotlight areas for improvement, as well as existing excellence.
Our support became especially important when ACME added internal software development into the scope of their ISMS. Our GRC team provided insight into the effective implementation of the software into the existing management system.
“I wanted to put on record our thanks to Adam, who has been brilliant throughout. While we knew we had the building blocks [for ISO 27001] in place, he sorted everything out and put them into the required structure. He’s also great to work with! Hard work and determination do pay off, and we are all delighted at this end.”
– Client Services Director, ACME Employment
Our continued safe pair of hands ensured that ACME passed their subsequent external surveillance audit and are maintaining their prized ISO 27001:2013 certification. Crucially, this has enabled them to maintain ownership of one of their key accounts.
ISO 27001 Services Included:
- A Gap Analysis against the ISO 27001:2013 ISMS standard:
– Discovery of ACME’s principal risks and current conformance to ISO 27001
– Recommendations based on our analysis of ACME’s security posture
- Remediation Strategy and Planning Activities:
– A strategy for ACME’s conformance to ISO 27001
– Closing the gaps identified during the analysis
– The development of all necessary documentation
- Supporting ACME throughout the ISO 27001 External Audit:
– Provision of an experienced consultant to attend onsite during the audit,
guiding ACME and providing expert input