ISO 27001 Implementation

Features

Valency Networks is ISO 27001 consulting services help organizations strategize, build, and certify a robust and effective Information Security Management System (ISMS). Our ISO-27001 consulting team brings extensive experience and deep information security domain expertise to ensure that you achieve ISO 27001 certification—on time and on budget.


ISO 27001 Advisory Services Feature

ISO-27001 consulting services include:

  • Information Security Management System (ISMS) Strategy/Framework Selection : Determining the optimal approach to ISMS development in light of industry, regulatory compliance, and attestation requirements.
  • ISMS Scope Determination & Optimization : Scope determination is critical to a successful ISO-27001 certification effort. The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.
  • Risk Assessment : Risk Assessment/Management is fundamental to an ISMS. We believe that ISO-27001 has an advantage over many other Risk Assessment standards in that it is well suited to a non-asset based approach. This information and the processes that act on it's approach yields a much more intuitive process that drives far greater value, in less time.
  • Risk Treatment Plan Development : The risk treatment plan defines the ISO-27001 controls required, including the necessary extent and rigor, to treat (mitigate) risk to a level that is deemed acceptable by management. It is a fundamental ISMS artifact and forms the basis/standard for the gap assessment.
  • ISMS Gap Assessment : Understanding the gap between the current and desired state of the Information Security Management System (e.g., ISO-27001) is a key input into a Prioritized Roadmap(Gap Remediation Plan).

Standards Followed :

ISO 27001:2013


Does ISO 27001 cover cyber security?

ISO 27001 is a thorough standard which will help an organisation uncover all the risk areas and help treat them with 114 controls divided among 14 domains. The domains cover everything from protecting asset, information to protecting people.

The 14 domains through controls will help an organisation protect and secure firewalls, do timely patch management, employ techniques from malware and viruses, hardening of assets and more.

Although, ISO 27001 is detailed, it will only tell you what controls to be applied to different risk areas. In order to get a detailed idea on how these controls should be implemented, ISO 27002 should be referred.

How long does it take to get ISO 27001 certification?

It totally depends on the organization’s readiness and preparedness. Once all the documentation, policies and procedures mandated by ISO 27001 are ready, organization should conduct an internal audit and check if they are ready to go for the external audit.

External audit is when an accredited certifying body comes to audit the organization. The Audit is divided into 2 stages.

  1. Stage 1: an external auditor checks all the documentation such as policies, procedures, Risk registers and all the other documents mandated by ISO 27001.
  2. Stage 2: Once you clear stage 1, you qualify for the second stage in which an external auditors actually talk to the stakeholders to see if all the policies and procedures laid out are being followed or not with proper evidences.
Once an organisation clears all the stages, it is given a certificate and becomes ISO 27001 compliant. The certification is valid for 3 years. In between these years, external auditor will come and perform surveillance audits to check if the ISO 27001 is being followed or not.

Why ISO27001 expects VAPT as one of the controls?

Vulnerability Assessment involves finding security holes i.e. vulnerabilities by scanning the entire network. Penetration Testing involves exploiting vulnerabilities to analyse the extent of damage that can be done to the system.
It is important to gauge risks pertaining to application, products and network devices to make sure that they are secure from internal and external threats. This can achieved by periodically scanning all the information processing facilities for underlying vulnerabilities and designing a detailed plan to fix all of them.

Should the ISO27001 VAPT include servers and firewalls?

Vulnerability Assessment involves finding security holes i.e. vulnerabilities by scanning the entire network. Penetration Testing involves exploiting vulnerabilities to analyse the extent of damage that can be done to the system.

It is important to test all the network devices including but not limited to firewall, switches, routers etc. With the growing attacks on network, it is crucial for an organisation to have an understanding of all the risks pertaining to servers and firewall and lay out a detailed plan to fix all of those to prevent any attacks from happening.

A thorough testing plan will uncover a lot of underlying vulnerabilities such as outdated firmware versions, systems patches, unwanted open ports, misconfigure firewall rules, misconfigures server rules, weak passwords, obsolete accounts. Organisation can take help of industry recognised tools to find out potential loop holes in the system or can do it manually with help of skilled staff.

How to determine scope of VAPT for ISO27001?

VAPT is one of the important control of ISO 27001. The aim of ISO is to help organisations analyse and asses risks in all areas and treat those by applying a wide range of controls.

To determine scope, it is important to analyse the crucial information for the organization, its touch points and the risks to it. Once that is identified, it will be easier to narrow down to the assets, network devices, cloud or applications that contain the most crucial data. All of the assets identified through this process should come under the scope of VAPT.

VAPT will help uncover all the underlying risks that could cause a lot of damage to the organisation.

How to perform VAPT for satisfying ISO27001 requirements?

Vulnerability Assessment and Penetration testing involves scanning all the information processing facilities including but not limited to servers, desktops, laptops, products, switches, routers, firewall for underlying loopholes and weaknesses and exploiting those weaknesses further to see how much damage can be caused by them.

To perform VAPT as per ISO 27001, an organisation should narrow down its scope to all the critical assets and components. Once that is done, organisation can either take help from external VAPT vendor. In that case, a nondisclosure agreement should be drawn between the vendor and organization. Or, it can take test all the components in scope using industry recognised tools. Organization can also perform these tests manually if it has a skilled staff to do so.

More info can be found on: https://www.valencynetworks.com/it-audit-services/iso/vapt-for-iso27001-audit-compliance.html

Can we exclude VAPT control for ISO27001 implementation?

Mapping of ISO 27001 controls to organisation is entirely dependent on the identification of risks pertaining to each and every area in the organisation. Exclusion of any control will have to have a valid reason to it.

All the networking devices, assets are always on the attacker’s radar. Attackers can get into the network through loopholes and can do damage to the organisation. Hence, it is crucial to scan all the information processing facilities for weaknesses periodically and fix them in time.

If organisation itself is not enough skilled to do the security testing then it can get it done from third party vendors.

How to perform VAPT for satisfying ISO27001 requirements?

SOC 2 designed by AICAP for the organisations that provide services to users. It requires for an organization to follow one or more set of trust principles out of 5, Security being the mandated one. These trust principles can be accomplished by the internal controls associated with each one, in order to fully comply with them. SOC 2 compliance is documented with formal attestation.

ISO 27001 designed by International Standards of Organization and it establishes industry wide requirements to mainly protect Confidentiality, Integrity and Availability of information. The organizations get certification of compliance after successful completion of an external audit.

Reference links: https://www.itgovernance.eu/blog/en/iso-27001-vs-soc-2-certification-whats-the-difference
https://www.valencynetworks.com/it-audit-services/iso.html
https://www.valencynetworks.com/it-audit-services/soc2-compliance.html

Security Compliance

FEATURES

Certified ISO 27001 Compliance implementors and auditing partners, ISO 27001 Implementation




ISO 27001 consultancy features implementation of a world standard framework to achieve robust cyber security policies and procedures.

Read more

PROCESS





We follow a an agile and yet systematic approach to swiftly implement information security management procedures to strengthen cyber security of the organization.

ISO-27001 consulting services, Certified ISO 27001 Compliance implementors and auditing partners
Read more

BENEFIT

Certified ISO 27001 Compliance implementors and auditing partners , ISO 27001 Implementation




Upon implementing ISO 27001 framework, the organization gets compliant with the standard and achieves highest degree of data security in a continuous improvement mode.

Read more

FAQ





Here is a list of typical questions which are in the minds of those who wish to leverage our services. If you see more information, feel free to contact us

Certified ISO 27001 Compliance implementors and auditing partners , ISO 27001 Implementation
Read more

RELATED LINKS

Certified ISO 27001 Compliance implementors and auditing partners , ISO 27001 Implementation



Please refer to the related articles and information nodes.

Read more

Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.