We provide ISO 27001 consulting and implementation support. This includes a phase wise approach that involves understanding business context to information security, information asset identification, information valuation, security valuation, technical and procedural risk assessment, gap analysis against ISO 27001 114 controls, detail recommendations, policy/documentation support, training, coaching employees/teams, coaching security managers, security performance setting, gap implementation monitoring, audit and management review leading to successful zero defect ISO 27001 – 2013 certification.
Our ISO 27001 consulting methodology ensures several benefits. This includes identification of all vulnerabilities in the Infrastructure be it related to technology, skill, vendor or locations. Top Management can clearly see the overall risk reduction in the organization and the way it is embedded in each business life cycle.
What is Information Security Management System (ISMS)?
A step-by-step method of identifying information that is key to business success. ISMS also include a comprehensive approach in assessing risks on one hand, and identifying opportunities for improvement. Such opportunities take the shape of designing, documenting, implementing, measuring , auditing and continuously improving information security posture. Improvement can take place both due to proactive process such as risk assessment, and reactive such as Incidents. In simple words, a proactive approach to preventing and reacting to information related incidents.
The ability to be aware of what is our present weakness and our ability to know how we will react– is in essence a true impact of a formal ISMS. On the contrary not being aware of any aspect of the any part of the system and its security relevance, or the approach that we will take in case of a failure – therefore demonstrates the absence of ISMS.
WHAT IS CORAL APPROACH TO SUCCESSFUL ISMS – ISO 27001 CONSULTING/CERTIFICATION?
We bring our world-class experience in delivery ISMS ISO 27001 implementation leading to successful certification.
Phase I – Understanding the business context and relevance of information security is the starting point of ISO 27001 2013 implementation analysis.
Phase II – Detail risk assessment/Gap analysis?including information asset identification, it security risk assessment including threats, impacts, vulnerabilities and probabilities resulting in identification of risks, and gaps. In addition we compare which of the ISO 27001 114 controls are applicable and relevant in implementing it risk management.
Phase III – Implementation/measurement journey?through definition of ISO 27001 policy/procedure/documentation on one hand and the implementation of risk based gaps on the other. This phase takes the maximum time.
Phase IV – Internal Audit also referred as iso 27001 audit is the process of verifying successful ISO 27001 implementation, on one hand, and the inclusion of security principle in business lifecycle on the other.
Phase V – ISO 27001 Registration body certification?This has is two stages:
Stage 1 – documentation, and, Stage 2 – implementation verification.
So what makes a good ISO 27001 consultant?
ISO 27001 consulting is fairly a complex task which requires a combination of skills.
This includes understanding the business, understanding information security and their correlation.
The role encompasses the need to interact with each team in the organization including the ability to see assets and controls in multiple domains.
Therefore the ISO 27001 consultant must have the following basic skills:
Ability to understand business goals, strategies and objectives. Every organization is unique and therefore requires an acute business understanding of what makes them succeed. After all security objectives has to fulfill business objectives.
Ability to align business goals with security goals
Ability to define a formal risk assessment and risk management approach in line with business – that is sustainable and repeatable
Ability to clearly define, articulate and measure key components of risks such as threats, impacts, vulnerabilities and probabilities using a structured model
Ability to distinguish assets of different categories
Ability to distinguish risk uniqueness in each asset or asset groups
Strong technical background on application/database/network security
Strong background on researching new vulnerabilities and how they can exploit a specific infrastructure
Ability to present weaknesses in a form that can be evaluated in risk parameters
Ability to advise client/top management whether to pursue a risk/vulnerability or not
Ability to define and document policy, procedure and process
Ability to evaluate technology and automation options
Ability to advise client using their structure as to who should implement a specific gap.
Ability to guide an implementer (nominated team within the organization for a specific gap) with right direction on why the policy has to be implemented in terms of business value and risk reduction
Ability to evaluate the successful implementation of a control
Ability to ensure the cross functional impact as a result of a newly implemented policy.