Scope determination is critical to a successful ISO-27001 certification effort. The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.
Risk Assessment/Management is fundamental to an ISMS. We believe that ISO-27005 has an advantage over many other Risk Assessment standards in that it is well suited to a non-asset based approach. This “information and the processes that act on it” approach yields a much more intuitive process that drives far greater value, in less time. While we are advocates of ISO-27005, we also use other standards including OCTAVE, OCTAVE-S, NIST SP 800-30 and NZ-AST 4360.
Understanding the gap between the current and desired state of the Information Security Management System (e.g., ISO-27001) is a key input into a “Prioritized Roadmap” (Gap Remediation Plan).
Roadmaps define the activities, approach and responsibilities necessary to address identified gaps in the time-frame required to achieve project objectives, including certification.
Policy, standards, and procedures (PSPs) form the backbone of any ISMS. Remarkably, although PSPs are the most basic elements of an ISMS, they are also one of the most complex to implement effectively. This is largely due to the comprehensive and inter-dependent nature of PSPs.
Whilst our team and focus centres on PCI related assessment work, we are all security professionals. As such, we can complete general security assessments to assist in securing your working environment. The focus of these assessments is broader than card data and addresses ways to secure your Personally Identifiable Information (PII). Outputs of these assessments are similar to our standard gap assessment reporting.