To help your organisation get started in complying with the ISO 27001 standard, our Discover service provides the following deliverables:
- Conduct ISO 27001 Compliance Gap Assessment: Risk Crew will assess your current information risk management processes, operations, policies and ISO 27001 controls against those recommended by the standard, to identify the current compliance “gap” and then generate a comprehensive report of our findings and recommendations to remedy that gap.
- Create ISO 27001 Compliance Activities Roadmap: Findings will include a detailed list of actions required for your organisation’s full compliance, in a project plan format of your choice. The roadmap will cite specific actions required for compliance, proposed action owners, target completion dates and estimated budgets required.
- Conduct Stakeholder Workshop: Upon completion, Risk Crew will conduct a half-day workshop for key business stakeholders to ensure their understanding of the remedial actions needed for compliance and the estimated resources and timeline required.
This service results in a solid understanding of the standard and what’s required from your business to comply.
Our Assist service offers all deliverables from our Discover service plus the following:
- Identify, Locate and Classify Information Assets: Risk Crew will review your business model and interview your key business stakeholders to identify, locate and value the sensitive information assets processed, stored and transmitted by your organisation.
- Create Data Classification and Marking Schemes: Once these information assets are identified, we will create suitable classification and marking schemes to ensure appropriate handling and security controls are applied and compliance requirements (such as Data Protection) are met.
- Create Information Asset Register: All information assets will then be documented citing their sensitivity level, value, owner and location in information technology systems for reference in accordance with the standard. This document provides the inventory for risk management.
- Perform an Information Security Threat and Risk Assessment: Risk Crew will then conduct a comprehensive information threat and risk assessment. This identifies the potential security threats to your organisation’s information assets, the likelihood and impact of these threats occurring and recommended remedial actions. Risk likelihood and impact calculation formulas will be agreed upon with you prior and the outcome will be delivered in a Risk Treatment Plan format that will serve as your foundation for tracking and managing risks to your information assets across the organisation.
- Conduct Risk Strategy Workshop with Stakeholders: Upon completion of the above deliverables, Risk Crew will hold a half-day workshop with your key business stakeholders to ensure their understanding of the threat and risk assessment results and confirm and establish the information risk appetite, tolerance and capacity levels for the organisation.
- Create Template ISMS Documentation for Customisation: We will then provide a template of ISMS documentation to include a draft Statement of Applicability (SoA), sample information security policies and procedures for the organisation to customise to their business processes and risk objectives.
- Conduct Mock Audit: When you are ready, Risk Crew will come in and conduct a mock audit and provide an ISO 27001 compliance report to ensure certification readiness.
This service provides the framework essential for compliance and is ideal for organisations that have operational resources but specifically lack in-house information security risk management expertise.
The outcome serves as the foundation for an effective, operative information security management system and requires the implementation of remedial actions, policy customisation, control implementation, testing, and education of your users for completion of your compliance requirements.
Our Implement service offers all the deliverables from both our Discover and Assist services and the items below. This popular service comes with our 100% guarantee that you will pass your compliance audit.
- Customised ISMS Documentation for the Business: Risk Crew will create fit-for-purpose ISMS documentation to include a compliance-specific Statement of Applicability (SoA) along with bespoke information security policies and procedures for the organisation to implement.
- Control recommendations: Risk Crew will also recommend cost-effective information security controls where required to ensure policy implementation and compliance. Control recommendations shall include control objectives, control configuration (if required) control evidence and control testing procedures.
- Conduct Network and Website Security Vulnerability Assessment Scanning: Risk Crew will then conduct automated vulnerability assessment scanning to identify security weaknesses associated with your business systems and website for remediation in accordance with the standard.
- Conduct Network and Website Security Penetration Testing: Risk Crew will also conduct manual security penetration testing of your business systems and website to attempt to identify and exploit associated weaknesses in accordance with the standard.
- Implement Information Security Awareness Training Program: Risk Crew will provide computer-based information security awareness training to your staff to ensure their understanding of cyber security threats to the business along with their roles and responsibilities for compliance to policies and incident reporting in accordance with the standard. Face-to-face workshops with cyber security experts are also available in lieu of or to supplement this training depending on your preference.
- Conduct ISMS Workshop with Stakeholders to Ensure Understanding, Roles and Responsibilities: Upon completion of the above, Risk Crew will hold a full-day workshop with your key business stakeholders to ensure their comprehensive understanding of the ISMS, its goals and objectives, key performance indicators (KPIs), and staff roles, responsibilities and ongoing actions required to support it.
This comprehensive service provides everything you need for your ISO 27001 compliance short of implementing the policies and the procurement of any controls needed and is designed for organisations looking for a cost-effective, turn-key solution. If, for any reason, your initial audit produces any additional remedial actions required for certification, we will implement these actions at no charge to you.
If your organisation is currently ISO 27001 compliant then you know that once you get compliant the challenge is to stay compliant.
Risk Crew can help you meet this challenge with a variety of support services from delivering on-going requirements such as conducting risk assessments, scanning, testing and delivering information security awareness training to providing continuous ad-hoc advice and assistance to answer questions, clarify requirements and ensure you stay the course of compliance.