ISO 27001 Implementation

It totally depends on the organization?s readiness and preparedness. Once all the documentation, policies and procedures mandated by ISO 27001 are ready, organization should conduct an internal audit and check if they are ready to go for the external audit.

External audit is when an accredited certifying body comes to audit the organization. The Audit is divided into 2 stages.

1. Stage 1: an external auditor checks all the documentation such as policies, procedures, Risk registers and all the other documents mandated by ISO 27001.
2. Stage 2: Once you clear stage 1, you qualify for the second stage in which an external auditors actually talk to the stakeholders to see if all the policies and procedures laid out are being followed or not with proper evidences.

Once an organisation clears all the stages, it is given a certificate and becomes ISO 27001 compliant. The certification is valid for 3 years. In between these years, external auditor will come and perform surveillance audits to check if the ISO 27001 is being followed or not.

Vulnerability Assessment involves finding security holes i.e. vulnerabilities by scanning the entire network. Penetration Testing involves exploiting vulnerabilities to analyse the extent of damage that can be done to the system.

It is important to test all the network devices including but not limited to firewall, switches, routers etc. With the growing attacks on network, it is crucial for an organisation to have an understanding of all the risks pertaining to servers and firewall and lay out a detailed plan to fix all of those to prevent any attacks from happening.

A thorough testing plan will uncover a lot of underlying vulnerabilities such as outdated firmware versions, systems patches, unwanted open ports, misconfigure firewall rules, misconfigures server rules, weak passwords, obsolete accounts. Organisation can take help of industry recognised tools to find out potential loop holes in the system or can do it manually with help of skilled staff.

Vulnerability Assessment and Penetration testing involves scanning all the information processing facilities including but not limited to servers, desktops, laptops, products, switches, routers, firewall for underlying loopholes and weaknesses and exploiting those weaknesses further to see how much damage can be caused by them.

To perform VAPT as per ISO 27001, an organisation should narrow down its scope to all the critical assets and components. Once that is done, organisation can either take help from external VAPT vendor. In that case, a nondisclosure agreement should be drawn between the vendor and organization. Or, it can take test all the components in scope using industry recognised tools. Organization can also perform these tests manually if it has a skilled staff to do so.

More info can be found on: https://www.valencynetworks.com/it-audit-services/iso/vapt-for-iso27001-audit-compliance.html

SOC 2 designed by AICAP for the organisations that provide services to users. It requires for an organization to follow one or more set of trust principles out of 5, Security being the mandated one. These trust principles can be accomplished by the internal controls associated with each one, in order to fully comply with them. SOC 2 compliance is documented with formal attestation.

ISO 27001 designed by International Standards of Organization and it establishes industry wide requirements to mainly protect Confidentiality, Integrity and Availability of information. The organizations get certification of compliance after successful completion of an external audit.

Reference links: https://www.itgovernance.eu/blog/en/iso-27001-vs-soc-2-certification-whats-the-difference
https://www.valencynetworks.com/it-audit-services/iso.html
https://www.valencynetworks.com/it-audit-services/soc2-compliance.html

PROCESS

FAQ