Our tested and proven methodology and extensive experience ensure the effective and timely implementation of an Information Security Management System (ISMS) and the eventual certification to the ISO/IEC 27001:2013 standard. Our consulting methodology follows the Plan-Do-Check-Act (PDCA)) process-based approach as adapted from the ISO/IEC 27001:2013 standard for implementing any management system within an organization. This approach, targeted at instituting a continuous improvement culture is interpreted as follows:
- Diagnostics: This phase involves project planning, defining the scope of the ISMS and a rigourous Controls Gap aimed at examining the organization’s compliance to the mandatory clauses and 114 control objectives and controls of the ISO/IEC 27001:2013 standard. A Risk and Vulnerability Assessment of information assets within the scope of the ISMS is also performed.
- Design: An Implementation Blueprint is developed to address the gaps observed to ensure conformity with the requirements of the standard. A Work and priority matrix for the technical security vulnerabilities and risk treatment is also provided as well as an enterprise wide improvement roadmap for information security. The Statement of Applicability (SoA) for the applicable controls from the 114 controls objectives and controls is also documented and developed in accordance with the standard. Implementation/Remediation Management: The actual remediation of the gaps, vulnerabilities and weakness observed during the Controls Gap Assessment, Technical Security Assessment and Risk Assessment is performed during this phase by leveraging on the guidance of the implementation blueprint from the Design Phase. This phase also involves wide-spread training and awareness sessions as well as the provision of adequate guidance on the implementation of controls (documentation, processes, technologies etc) as well as monitoring and measuring the effectiveness of the controls implemented.
- Compliance and Certification: The Information Security Management System (ISMS) certification audit is typically a two (2) stage audit exercise conducted by an Independent Registered Certification Body. The first stage involves a document review and the second phase is the actual certification audit. Prior to this two-stage audit, we conduct mock compliance audit to ascertain and guarantee the organization’s readiness for the certification audit. Post certification, on-going monitoring and compliance support is provided to ensure continuous compliance and successful surveillance audits and re-certification.