ISO/IEC 27001 Information Security Management System is an information security management system standard that supports addressing information security problems, identifying and managing valuable information assets of the organization. ISO 27001 helps businesses of the small, medium, or large scale and organizations from various industries manage their information security.
In addition, ISO 27001 is an increasingly popular standard as it is subject to certification, subject to regulations by regulators, and becomes one of the specification requirements in procurement processes requiring information sharing.
The structure of ISO 27001: 2013 Information Security Management System is as follows:
- Information security policies
- Organisation of information security
- Human resources security
- Asset management
- Access control
- Physical and environmental security
- Operational security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
CIOSIS ISO 27001 Consulting Method
Our ISO 27001 Information security management system consultancy method is prepared in parallel with the Deming cycle and consists of the following phases:
Preparation: The preparation phase is out of the main steps that make up the Deming cycle. However, the need for this phase has been observed in our many consultancy project experiences and the preparatory phase has become a standard step of our Information Security Management System (ISMS) implementation method. In this phase, ISO 27001 ISMS scope is clarified, the orientation of the project team with information security and management system training and management support is obtained.
Planning: Our ISO 27001 consulting service planning phase begins with the gap assessment for the organization’s information security controls. In process of the gap assessment, we also gather information on security-related business and regulatory requirements, IT infrastructure and existing information security controls. Going through the information security controls best practices we also discover the critical information assets and focus on them. At the end of this phase we identify the security controls requirements of the organization and the gap between the existing status and the required state.
Implementation: In the implementation step of our ISO 27001 consultancy, management system components (policies, procedures, guidelines, etc.) and the control requirements identified during the risk assessment is developed and put into practice. Information security awareness training is provided for the personnel of the organization in accordance with the security requirements of the organization.
Checking: In this step of our ISO 27001 consultancy, the internal audit work is carried out covering the ISO 27001 standard and all or some of the essential security controls discussed in detail in ISO 27002. Management review is conducted and corrective action needs are identified.
Correction: In the last step of our ISO 27001 consultancy, necessary improvement plans are implemented in line with the corrective action requirements determined.