Know You Are Secure & Prove You Are Compliant
Organizations need to prove they are secure to compete within the global marketplace. In today’s world, it’s not enough to just claim you are secure; potential clients, business partners and board rooms want proof. With Pivot Point Security as your trusted partner, achieving and maintaining ISO-27001 certification year over year is a guaranteed reality. Clients who work with us benefit from significantly enhanced security postures and an ability to demonstrate the same to their key stakeholders, including business-critical customers.
Benefits of the As-A-Service Model:
- Reach compliance at your own pace – Dedicated ISO 27001 expertise to ensure you have the answers, guided documentation and extended team members you need when you need them.
- Establish a roadmap & stay on target – PPS hosts weekly status/coordination/working meetings between your project team and our ISO 27001 experts dedicated to your project.
- Save time and money – Leveraging our expertise, proven processes and artifacts simplifies the process of achieving certification.
- Ensure you meet ISO 27001 requirements – PPS ensures your success by validating all artifacts to guarantee they fully conform with the standard.
- Ensure 27001 is operationalized (not just implemented) – PPS helps build the ISMS committee and chair committee meetings.
- Ensure you are ready for your certification audit – PPS conducts your ISMS Internal Audit (including Corrective Action Plans & Management Review).
- Ensure you pass your certification audit – PPS provides on-site support to ensure your certification audit goes off without a hitch. We have a 100% success rate bringing clients to ISO 27001 certification.
- Ensure you maintain your certification year after year – PPS provides the ongoing support to operate the ISMS, manage information risk, continually improve your security posture, execute your ISMS Internal Audit Program, and successfully maintain your certification.
Our ISO/IEC 27001 consulting services help organizations strategize, build, and certify a robust and effective Information Security Management System (ISMS). Our team of experts brings extensive experience and deep information security domain expertise (including certifications like ISO/IEC 27001 Lead Auditor, ISO 27001 Lead Implementer, CISSP, CISA and/or CRISC) to ensure that you achieve ISO/IOEC 27001 certification—on time and on budget.
Our consultants will work collaboratively with you throughout the entire certification process, from ISMS Scoping through on-site Certification Audit Support. Beyond that, we provide a variety of ongoing support services to our successfully certified clients, often participating in Information Security Risk Assessments and conducting Internal ISMS Audits, among others.
Information Security Management System (ISMS) Strategy/Framework Selection – Determining the optimal approach to ISMS development in light of industry, regulatory compliance, and attestation requirements. For example, should a US Army hospital operating in Germany leverage NIST, HITRUST, ISO-27001 or some combination of those three standards? What is the right approach and how do you begin ISO-27001 certifying a 100K person, multinational organization?
ISMS Scope Determination & Optimization – Scope determination is critical to a successful ISO-27001 certification effort. The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.
Risk Assessment – Risk Assessment/Management is fundamental to an ISMS. We believe that ISO-27005 has an advantage over many other Risk Assessment standards in that it is well suited to a non-asset based approach. This “information and the processes that act on it” approach yields a much more intuitive process that drives far greater value, in less time. While we are advocates of ISO-27005, we also use other standards including OCTAVE, OCTAVE-S, NIST SP 800-30 and NZ-AST 4360.
Risk Treatment Plan Development – The risk treatment plan defines the ISO-27002 controls required, including the necessary extent and rigor, to treat (mitigate) risk to a level that is deemed acceptable by management. It is a fundamental ISMS artifact and forms the basis/standard for the gap assessment.
ISMS Gap Assessment – Understanding the gap between the current and desired state of the Information Security Management System (e.g., ISO-27001) is a key input into a “Prioritized Roadmap” (Gap Remediation Plan).
Security Controls Gap Assessment – Understanding the gap between the current and desired state of the control practices is a key input into a “Prioritized Roadmap” (Gap Remediation Plan). ISO-27002 Gap Assessments (and derivatives like Shared Assessments and HITRUST) are widely used outside of ISO-27001 certification efforts as a “best security practices” gap assessment and can also be used to serve as a form of design/operational attestation.
Prioritized Roadmap Definition – Roadmaps define the activities, approach and responsibilities necessary to address identified gaps in the time-frame required to achieve project objectives, including certification.
Gap Remediation Facilitation/Support – Ideally, gap remediation will be largely accomplished by the internal team, rather than a third party (like Pivot Point Security). An internally focused approach leveraging a third party for SME on demand, templates and artifact validation, maximizes the development of organizational knowledge/expertise, ensures that key personnel are “stakeholders” in the resultant control environment and prevents an organization from being overly reliant on a third party to operate the ISMS post certification.
Security Metrics – Security metrics are critical to the optimal operation of an ISMS, as they are integral to demonstrating the continuous improvement principles that are inherent in most ISMSs. This service is focused on simplifying the process of measuring, reporting and hence systematically improving ISMS effectiveness. Independent of the security framework being leveraged, ISO-27004 provides excellent guidance on security metrics.
Policy, Standards, & Procedure (PSP) Support – PSPs form the backbone of any ISMS. Remarkably, although PSPs are the most basic elements of an ISMS, they are also one of the most complex to implement effectively. This is largely due to the comprehensive and inter-dependent nature of PSPs. Key decision points to consider before embarking on a PSP effort:
- Structure: Ideally Policies, Standards & Procedures are segregated, which simplifies ongoing administration and version management. However, most organizations combine them, which yields complexity where a particular procedure is integral to multiple Standards and/or procedures.
- Presentation: Most organizations leverage a linear document format for PSPs, which does a poor job of communicating their hierarchical nature and interdependencies. Increasingly, Wikis, SharePoints, and/or dedicated ISMS management systems are being leveraged to address this challenge.
- Audience: PSPs often have multiple audiences (e.g., employees, IT personnel, contractors, consultants, management). Audience, structure and presentation are highly inter-related and are critical to ensuring that PSPs are understood and followed. If the desired audience can’t EASILY find all of the information relevant to a particular issue they are attempting to address, a non-conformity is almost certain to occur.
- Business: The company’s size, risk/risk tolerance, internal expertise, resource availability, budget and current PSP maturity level significantly impacts the effort.
- External: The regulations and external business contexts can notably impact the effort.
- Version Control: It is critical that mechanisms to ensure that all necessary approvals for changes are auditable, version histories are retained and only current versions are readily accessible.
ISMS Internal Audit – Integral to the PDCA model of most ISMSs is a requirement to conduct an internal audit to determine whether the control objectives, controls, processes and procedures of its ISMS:
- Conform to the requirements of ISO-27001 and relevant legislation or regulations;
- Conform to identified information security requirements;
- Are effectively implemented and maintained; and
- Perform as expected.
Certification Audit Support – Many organizations believe that having a Pivot Point Security auditor on-site during one or both of the certification audit phases simplifies the process and reduces the risk that non-conformities may be cited.
27001 Certificate Extension – We often advocate that organizations minimize the initial scope of their ISO-27001 certificate to limit the level of disruption to business. Extending the certificate during surveillance audits is the simplest approach to progressively increasing the scope of an ISMS.
Ongoing Risk Management Team Membership – Maintaining an optimal composition of the Risk Management Committee ensures the ongoing effectiveness of the Risk Management function, which is critical to the ongoing effectiveness of the ISMS. Many organizations favor the inclusion of an independent and objective third party with cross organizational/industry expertise to optimize the operation of the Risk Management Committee.
Incident Response Support – Implementing procedures and other controls capable of enabling the timely detection of, and response to, incidents is essential to an ISMS and the principles of continuous improvement. Many organizations do not have the expertise and/or resources to fully address this requirement internally.
ISO 27001 Frequently Asked Questions (FAQ’s)
ISO 27001 is the most important standard in the ISO 27000 family of globally recognized standards that provide guidance and a logical framework that organizations use to keep information secure. It is the “de facto standard” for Information security and widely recognized as the best way to prove to key stakeholders that you have a strong cybersecurity program.
An ISMS is a systematic, risk based approach to managing sensitive data so that it remains secure.
A Risk Assessment or risk analysis is a key element of an ISO 27001 implementation. Its purpose is to identify the risks associated with loss of confidentiality, integrity and availability of information assets, and to rank the importance of each risk to focus risk mitigation efforts.
An organization seeking to achieve or maintain ISO 27001 certification must conduct periodic internal audits, per clause 9.2 of the ISO 27001 standard. Conducted by in-house staff or a trusted third party at least once every year, the internal audit’s purpose is to help management verify the effectiveness of the ISMS (e.g., does it conform to the organization’s own requirements as well as those of the standard).
Conducted by a certification body (often referred to as a registrar), an ISO 27001 Certification Audit determines whether an organization’s Information Security Management System (ISMS) conforms to the requirements of the ISO 27001 standard. If the findings are satisfactory, the ISMS is certified as conforming to the standard. The ISO 27001 Certification Audit covers the full ISMS and occurs in the first year of the three-year ISO 27001 certification cycle.
ISO 27001 Surveillance Audits cover a subset of the ISMS and are conducted by a certification body in years two- and three of the three year ISO 27001 certification cycle.