Contact Us

Contact Us

Please get in touch using the form below

I prefer to be contacted by:
View our privacy policy
Learn about the techniques attackers use to evade detection and how to defend against them. Sign up for our webinar on June 9th.

Overview

Helping you achieve ISO/IEC 27001 compliance

Achieving ISO/IEC 27001 certification demonstrates to customers, partners and other stakeholders that an organisation is committed to managing information safely and securely.

The long road to ISO 27001 compliance can be daunting for any business. It can be difficult to understand and effectively prioritise the required compliance measures, particularly if in-house resources are stretched.

As an award-winning provider of cyber security and consultancy services, Redscan is well placed to help your organisation assess and improve its information security in line with ISO 27001 controls and demonstrate compliance with the GDPR and other regulatory requirements.

ISO 27001

What is ISO 27001?

ISO 27001 is an international security standard that outlines a framework of technical risk management controls required for an Information Security Management System (ISMS).

ISO 27001 is part of the ISO/IEC 27000 series of standards published jointly by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The ISO framework is designed to help organisations establish, implement, operate, monitor, review, maintain and improve their ISMS.

The ISO 27001 standard adopts a risk-based, technology-neutral approach, requiring organisations to apply controls in line with their own specific security risks. Rather than mandating a set list of controls, the standard outlines a checklist of measures that should be considered, as well as a set of best practice recommendations which are highlighted in ISO 27002.

Even if your organisation is not looking to become fully certified at this time, it is advisable to understand the controls outlined within the standard to ensure that security best practices are being followed.

ISO 27001 requirements

ISO/IEC 27001 requirements

Systematically examine information security risks by identifying threats and vulnerabilities and quantifying impacts
Design and implement a comprehensive suite of security controls to address identified security risks
Adopt an ongoing management process that ensures controls meet information security needs as risks evolve over time

Controls

ISO 27001 Annex A controls

To build an effective Information Security Management System (ISMS), choosing appropriate controls is vital. ISO 27001 Annex A lists a set of 114 best practice ISO controls, divided across 14 clauses.

Since ISO 27001 was updated in 2013, these controls have not been mandatory. They merely provide guidance for risk assessments, allowing organisations to select of the controls that they can identify and justify as being most relevant and meaningful for their organisation.

The 14 control clauses of Annex A:

ISO 27001 certification

The ISO 27001 certification process

To achieve ISO 27001 certification, an organisation’s ISMS must be assessed by an accredited registrar, who will undertake a three-stage external audit process defined by ISO 27006. The process is likely to include the following:

01. Stage 1
02. Stage 2
03. Stage 3
01.

Stage 1

Stage 1 consists of a preliminary assessment of an organisation’s ISMS, including collation of security policy documentation. Two key documents are the Statement of Applicability (SoA) and Risk Treatment Plan (RTP).

02.

Stage 2

Stage 2 includes a formal compliance audit where the ISMS is tested against ISO 27001 requirements. Organisations being assessed need to ensure they are able to produce documentation on the ISMS’s design and implementation, as well as evidence that it is being actively operated and maintained.

03.

Stage 3

Organisations that pass Stage 2 are deemed ISO 27001 certified, but they must also go through a series of follow-up reviews and audits to confirm they remain compliant. This is recommended to happen at least annually, but typically takes place much more regularly while the ISMS is in its infancy.

A range of security assessment services

ISO 27001 penetration testing

ISO 27001 pen testing

ISO 27001 certification is not an overnight process and most organisations will struggle to prepare for an audit without external assistance. The ability to identify and address vulnerabilities is critical to an ISMS, and the most effective way to do this is to implement a programme of regular security testing.

Objective A.12.6.1 of ISO 27001 states that information about technical security vulnerabilities should be obtained in a timely fashion, exposure to these vulnerabilities evaluated and appropriate measures taken to address the associated risks.

Redscan’s CREST-approved team of pen testing experts have extensive experience helping organisations across a range of sectors build security testing programmes. We provide in-depth risk analysis and complete post-test care to ensure identified vulnerabilities can be remediated in a timely fashion. Whether you’re looking for an internal/external network assessment, web app/mobile app test or custom phishing and social engineering simulation, our friendly team is here to help.

 

More about ISO 27001 penetration testing

ISO 27001 incident management

ISO 27001 threat and incident management

One of the overarching requirements of an Information Security Management System is the development of a comprehensive suite of threat management controls that is monitored on an ongoing basis. Objective A.16.1 covers security incident management, including detection, response, and reporting.

Unless you have a large in-house security team dedicated to the task, it can be difficult to build the necessary capabilities to detect and respond to threats on an ongoing basis. ThreatDetect™ is Redscan’s outcome-focused Managed Detection and Response service that supplies the people, technology and cyberoffensive intelligence required to proactively hunt for threats and shut them down as quickly as possible.

We work closely with our clients to identify their specific security risks and implement a solution that provides the tangible security outcomes needed to satisfy a wide range of use cases.

ThreatDetect MDR

Why us?

Why choose Redscan?

  • A leading UK-based MDR and testing company
  • An outcome-focused approach
  • CREST-accredited SOC and red team
  • In-depth threat analysis and remediation guidance
  • Multi award-winning security services
  • Avg. >9/10 customer service, 95% retention rate

Our Services

Our award-winning services

Redscan’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.

ThreatDetect MDR

Managed Detection and Response

Award-winning support to rapidly detect and respond to the latest threats 24/7

Read more

Assessment Services

Specialist engagements to uncover and address hidden cyber security risks

Read more
A person choosing from a range of Managed Security Services

Managed Security Services

Expert help to manage and monitor your choice of security technologies

Read more

Get in touch

Complete the form for a prompt response from our team.

I prefer to be contacted by:
View our privacy policy

Resources

Discover our latest content and resources

From the blog
From the blog Case studies Latest news
22nd May 2020
Cybersecurity cited by WEF as one of the top COVID-19 fallout issues
Cybersecurity is one of the ‘Top 10 Fallout’ issues from COVID-19 according to a new Global Risks report published by the Word Economic Forum. Nearly 38% of risk professionals surveyed say changing work patterns will lead to increases in cyber security and fraud incidents
15th May 2020
CISA and FBI publishes list of top 10 security vulnerabilities
A new reported authored by CISA and the FBI reveals that vulnerabilities in Microsoft Office and Apache Struts were among the software vulnerabilities most commonly exploited between 2016 and 2019.
7th May 2020
Cyber security warning issued to healthcare providers
Healthcare bodies and medical research organisations are being targeted by advanced persistent threat groups and must take steps to minimise the risk of ‘password spraying’ campaigns, according to a joint security advisory issued by the NCSC in the UK and CISA in the US.
1st May 2020
FCA extends SCA deadline to September 2021
Due to the COVID-19 crisis, The UK's Financial Conduct Authority has announced that it is to delay the implementation of strong customer authentication rules by a further six months.