ISO 27001 Audit & Cost Guide

Our ISO-27001 consulting services include:

Information Security Management System (ISMS) Strategy/Framework Selection – Determining the optimal approach to ISMS development in light of industry, regulatory compliance, and attestation requirements. For example, should a US Army hospital operating in Germany leverage NIST, HITRUST, ISO-27001 or some combination of those three standards? What is the right approach and how do you begin ISO-27001 certifying a 100K person, multinational organization?

ISMS Scope Determination & Optimization – Scope determination is critical to a successful ISO-27001 certification effort. The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.

Risk Assessment – Risk Assessment/Management is fundamental to an ISMS. We believe that ISO-27005 has an advantage over many other Risk Assessment standards in that it is well suited to a non-asset based approach. This “information and the processes that act on it” approach yields a much more intuitive process that drives far greater value, in less time. While we are advocates of ISO-27005, we also use other standards including OCTAVE, OCTAVE-S, NIST SP 800-30 and NZ-AST 4360.

Risk Treatment Plan Development – The risk treatment plan defines the ISO-27002 controls required, including the necessary extent and rigor, to treat (mitigate) risk to a level that is deemed acceptable by management. It is a fundamental ISMS artifact and forms the basis/standard for the gap assessment.

ISMS Gap Assessment – Understanding the gap between the current and desired state of the Information Security Management System (e.g., ISO-27001) is a key input into a “Prioritized Roadmap” (Gap Remediation Plan).

Security Controls Gap Assessment – Understanding the gap between the current and desired state of the control practices is a key input into a “Prioritized Roadmap” (Gap Remediation Plan). ISO-27002 Gap Assessments (and derivatives like Shared Assessments and HITRUST) are widely used outside of ISO-27001 certification efforts as a “best security practices” gap assessment and can also be used to serve as a form of design/operational attestation.

Prioritized Roadmap Definition – Roadmaps define the activities, approach and responsibilities necessary to address identified gaps in the time-frame required to achieve project objectives, including certification.

Gap Remediation Facilitation/Support – Ideally, gap remediation will be largely accomplished by the internal team, rather than a third party (like Pivot Point Security). An internally focused approach leveraging a third party for SME on demand, templates and artifact validation, maximizes the development of organizational knowledge/expertise, ensures that key personnel are “stakeholders” in the resultant control environment and prevents an organization from being overly reliant on a third party to operate the ISMS post certification.

Security Metrics – Security metrics are critical to the optimal operation of an ISMS, as they are integral to demonstrating the continuous improvement principles that are inherent in most ISMSs. This service is focused on simplifying the process of measuring, reporting and hence systematically improving ISMS effectiveness. Independent of the security framework being leveraged, ISO-27004 provides excellent guidance on security metrics.

Policy, Standards, & Procedure (PSP) Support – PSPs form the backbone of any ISMS. Remarkably, although PSPs are the most basic elements of an ISMS, they are also one of the most complex to implement effectively. This is largely due to the comprehensive and inter-dependent nature of PSPs. Key decision points to consider before embarking on a PSP effort:

• Structure: Ideally Policies, Standards & Procedures are segregated, which simplifies ongoing administration and version management. However, most organizations combine them, which yields complexity where a particular procedure is integral to multiple Standards and/or procedures.
• Presentation: Most organizations leverage a linear document format for PSPs, which does a poor job of communicating their hierarchical nature and interdependencies. Increasingly, Wikis, SharePoints, and/or dedicated ISMS management systems are being leveraged to address this challenge.
• Audience: PSPs often have multiple audiences (e.g., employees, IT personnel, contractors, consultants, management). Audience, structure and presentation are highly inter-related and are critical to ensuring that PSPs are understood and followed. If the desired audience can’t EASILY find all of the information relevant to a particular issue they are attempting to address, a non-conformity is almost certain to occur.
• Business: The company’s size, risk/risk tolerance, internal expertise, resource availability, budget and current PSP maturity level significantly impacts the effort.
• 
  External: The regulations and external business contexts can notably impact the effort.
  Version Control: It is critical that mechanisms to ensure that all necessary approvals for changes are auditable, version histories are retained and only current versions are readily accessible.

ISMS Internal Audit – Integral to the PDCA model of most ISMSs is a requirement to conduct an internal audit to determine whether the control objectives, controls, processes and procedures of its ISMS:

• Conform to the requirements of ISO-27001 and relevant legislation or regulations;
• Conform to identified information security requirements;
• Are effectively implemented and maintained; and
  Perform as expected.

Certification Audit Support – Many organizations believe that having a Pivot Point Security auditor on-site during one or both of the certification audit phases simplifies the process and reduces the risk that non-conformities may be cited.

ISO 27001 Certificate Extension – We often advocate that organizations minimize the initial scope of their ISO-27001 certificate to limit the level of disruption to business. Extending the certificate during surveillance audits is the simplest approach to progressively increasing the scope of an ISMS.

Ongoing Risk Management Team Membership – Maintaining an optimal composition of the Risk Management Committee ensures the ongoing effectiveness of the Risk Management function, which is critical to the ongoing effectiveness of the ISMS. Many organizations favor the inclusion of an independent and objective third party with cross organizational/industry expertise to optimize the operation of the Risk Management Committee.

Incident Response Support – Implementing procedures and other controls capable of enabling the timely detection of, and response to, incidents is essential to an ISMS and the principles of continuous improvement. Many organizations do not have the expertise and/or resources to fully address this requirement internally.