The International Organization for Standardization (ISO) 2700x series of Compliance provides for a common set of international standards for information security. Whether your organization is implementing ISO 27001, ISO 27002, or both, ADHERE can guide you through the process.
So what’s the difference between ISO 27001 and ISO 27002?
ISO 27001 is a set of regulatory requirements designed to establish auditable controls for certification of an Information Security Management System (ISMS). ISO 27001 is about building the foundation and framework of the organization’s ISMS.
ISO 27002 gets more specific. ISO 27002 is a set of guidelines and best practices for the implementation of your ISMS controls. It is NOT a certification. The commonality between the two standards is in the controls.
ISO 27001 specifies what controls are required within the framework implementation. ISO 27002 provides specific guidance on how to implement the controls.
How does ADHERE help prepare you for either implementation?
The implementation process is based upon the Three Phase model.
Phase 1: Plan
In the Planning phase, ADHERE works with your Senior Management to identify your business objectives, taking into account several factors such as the organization’s size, business sector (industry specific considerations), existing Information Security maturity level, existing compliance standards, and management commitment to the initiative.
We then identify the budget, timeline, key stakeholders, risk factors, and inventory of company assets.
Phase 2: Document
In the Document phase, we take a look at your Policies and Procedures, what type of risk treatment plan (RTP) is in place, and the extent of InfoSec staff resources and training in place.
Policies and Procedures
Once engaged, ADHERE will review your organization’s Security Policies and Procedures against the 14 ISO domains. If a Policy or Procedure does not exist for any of the sections, ADHERE will work with your organization’s respective stakeholders and legal counsel to create and deliver any required documents.
If your organization already has security-related Policies and Procedures in place, ADHERE will review your existing documents and provide a gap analysis and recommendations to bring you into compliance with the standard.
Throughout this process, ADHERE will work with your team members to ensure the documentation and implementation processes of your Policies and Procedures are thorough and complete.
Technical Security Requirements (TSRs)
While Policies and Procedures deal with the documentation side of the InfoSec process, Technical Security Requirements deal with IT infrastructure and execution.
ADHERE’s technical Subject Matter Experts (SMEs) can create technical security requirement documents for your IT environment which are the security hardening guides for your software operating systems or network architecture.
Depending upon the organization’s Risk Treatment Plan (RTP) , ADHERE can perform Quarterly or Annual Risk Assessments as one of our services.
Working with the individual internal team owners, ADHERE will review the applicable section data, assess it, and present our findings and recommendations to management for further action and/or remediation.
Phase 3: Support
In the Support phase, ADHERE can perform a formal attestation on your organization’s ISMS. During the attestation period, ADHERE reviews and scores your ISMS with the perspective of an Auditor. It is important to distinguish that the attestation is NOT an audit; it is a pre-audit review and scoring that provides senior management with insight as to whether they are ready for a formal audit. Your organization then has the opportunity to either proceed with the audit, or perform additional remediation.
CISO Team Services
ADHERE offers CISO Team Services On-Demand to provide your organization with operational oversight, periodic reassessments, remediation, and preventative action.
ADHERE offers continuous improvement and remediation to secure your organization throughout the process. Our #1 goal is for your organization to implement and maintain a mature ISMS that is adherent to industry standards and certifications.