ISO 27001 Consulting

The ISO / IEC 27001 Information Security Management System standard was based on the British Standard BS 7799-2 and first published in year 2005 with the name ISO/IEC 27001:2005

In 2013, the ISO/IEC 27001 standard was revised to comply with Annex SL which forms a common structure that is applicable to all ISO standards. The main objective here was to create a general framework that will form the basis for all management systems. This helps the organizations to follow similar methodologies and implement common processes to run multiple management systems in accordance with their requirements.

What is ISO 27001?

ISO/IEC 27001 Information Security Management System is an information security management system standard that supports addressing information security problems, identifying and managing valuable information assets of the organization. ISO 27001 helps businesses of small, medium or large scale and organizations from various industries manage their information security.

In addition, ISO 27001 is an increasingly popular standard as it is subject to certification, subject to regulations by regulators and becomes one of the specification requirements in procurement processes requiring information sharing.

The structure of ISO 27001: 2013 Information Security Management System is as follows:

Information security policies
Organisation of information security
Human resources security
Asset management
Access control
Cryptography
Physical and environmental security
Operational security
Communications security
System acquisition, development and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance

BTRisk ISO 27001 Consulting Method

Our ISO 27001 Information security management system consultancy method is prepared in parallel with the Deming cycle and consists of the following phases:

Preparation: The preparation phase is out of the main steps that make up the Deming cycle. However, the need for this phase has been observed in our many consultancy project experiences and the preparatory phase has become a standard step of our Information Security Management System (ISMS) implementation method. In this phase, ISO 27001 ISMS scope is clarified, orientation of project team with information security and management system trainings and management support is obtained.

Planning: Our ISO 27001 consulting service planning phase begins with the gap assessment for the organization’s information security controls. In process of the gap assessment we also gather information security related business and regulatory requirements, IT infrastructure and existing information security controls. Going through the information security controls best practices we also discover the critical information assets and focus on them. At the end of this phase we identify the security controls requirements of the organization and the gap between the existing status and the required state.

Implementation: In the implementation step of our ISO 27001 consultancy, management system components (policies, procedures, guidelines, etc.) and the control requirements identified during the risk assessment are developed and put into practice. Information security awareness trainings are provided for the personnel of the organization in accordance with the security requirements of the organization.

Checking: In this step of our ISO 27001 consultancy, the internal audit work is carried out covering the ISO 27001 standard and all or some of the essential security controls discussed in detail in ISO 27002. Management review is conducted and corrective action needs are identified.

Correction: In the last step of our ISO 27001 consultancy, necessary improvement plans are implemented in line with the corrective action requirements determined.

Click here to get detailed information about our BTRWatch GRC product which is fully compatible with ISO 27001:2013 standard.