Helping you achieve ISO/IEC 27001 compliance
Achieving ISO/IEC 27001 certification demonstrates to customers, partners and other stakeholders that an organisation is committed to managing information safely and securely.
The long road to an ISMS and ISO 27001 compliance can be daunting for any business. It can be difficult to understand and effectively prioritise the required compliance measures, particularly if in-house resources are stretched.
As an award-winning provider of cyber security and consultancy services, Redscan is well placed to help your organisation assess and improve its information security in line with ISO 27001 controls and demonstrate compliance with the GDPR and other regulatory requirements.
What is ISO 27001?
ISO 27001 is an international security standard that outlines a framework of technical risk management controls required for an Information Security Management System (ISMS).
ISO 27001 is part of the ISO/IEC 27000 series of standards published jointly by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The ISO framework is designed to help organisations establish, implement, operate, monitor, review, maintain and improve their ISMS.
The ISO 27001 standard adopts a risk-based, technology-neutral approach, requiring organisations to apply controls in line with their own specific security risks. Rather than mandating a set list of controls, the standard outlines a checklist of measures that should be considered, as well as a set of best practice recommendations which are highlighted in ISO 27002.
Even if your organisation is not looking to become fully certified at this time, it is advisable to understand the controls outlined within the standard to ensure that security best practices are being followed.
ISO 27001 requirements
ISO/IEC 27001 requirements
ISO 27001 Annex A controls
To build an effective Information Security Management System (ISMS), choosing appropriate controls is vital. ISO 27001 Annex A lists a set of 114 best practice ISO controls, divided across 14 clauses.
Since ISO 27001 was updated in 2013, these controls have not been mandatory. They merely provide guidance for risk assessments, allowing organisations to select of the controls that they can identify and justify as being most relevant and meaningful for their organisation.
The 14 control clauses of Annex A:
A.5 - Information security policies
A.6 - Organisation of information security
A.7 - Human resource security
A.8 - Asset management
A.9 - Access control
A.10 - Cryptography
A.11 - Physical and environmental security
A.12 - Operations security
A.13 - Communications security
A.14 - System development and maintenance
A.15 - Supplier relationships
A.16 - Information security incident management
A.17 - Business continuity management
A.18 - Compliance laws and policies
ISO 27001 certification
The ISO 27001 certification process
To achieve ISO 27001 certification, an organisation’s ISMS must be assessed by an accredited registrar, who will undertake a three-stage external audit process defined by ISO 27006. The process is likely to include the following:
Stage 1 consists of a preliminary assessment of an organisation’s ISMS, including collation of security policy documentation. Two key documents are the Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
Stage 2 includes a formal compliance audit where the ISMS is tested against ISO 27001 requirements. Organisations being assessed need to ensure they are able to produce documentation on the ISMS’s design and implementation, as well as evidence that it is being actively operated and maintained.
Organisations that pass Stage 2 are deemed ISO 27001 certified, but they must also go through a series of follow-up reviews and audits to confirm they remain compliant. This is recommended to happen at least annually, but typically takes place much more regularly while the ISMS is in its infancy.
ISO 27001 penetration testing
ISO 27001 pen testing
ISO 27001 certification is not an overnight process and most organisations will struggle to prepare for an audit without external assistance. The ability to identify and address vulnerabilities is critical to an ISMS, and the most effective way to do this is to implement a programme of regular security testing.
Objective A.12.6.1 of ISO 27001 states that information about technical security vulnerabilities should be obtained in a timely fashion, exposure to these vulnerabilities evaluated and appropriate measures taken to address the associated risks.
Redscan’s CREST-approved team of pen testing experts have extensive experience helping organisations across a range of sectors build security testing programmes. We provide in-depth risk analysis and complete post-test care to ensure identified vulnerabilities can be remediated in a timely fashion. Whether you’re looking for an internal/external network assessment, web app/mobile app test or custom phishing and social engineering simulation, our friendly team is here to help.
More about ISO 27001 penetration testing
ISO 27001 incident management
ISO 27001 threat and incident management
One of the overarching requirements of an Information Security Management System is the development of a comprehensive suite of threat management controls that is monitored on an ongoing basis. Objective A.16.1 covers security incident management, including detection, response, and reporting.
Unless you have a large in-house security team dedicated to the task, it can be difficult to build the necessary capabilities to detect and respond to threats on an ongoing basis. Kroll Responder is our outcome-focused Managed Detection and Response service that supplies the people, technology and cyberoffensive intelligence required to proactively hunt for threats and shut them down as quickly as possible.
We work closely with our clients to identify their specific security risks and implement a solution that provides the tangible security outcomes needed to satisfy a wide range of use cases.
Why choose Redscan?
- A leading UK-based MDR and testing company
- An outcome-focused approach
- CREST-accredited SOC and red team
- In-depth threat analysis and remediation guidance
- Multi award-winning security services
- Avg. >9/10 customer service, 95% retention rate
Our award-winning services
Redscan’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.
Managed Detection and Response
Award-winning support to rapidly detect and respond to the latest threats 24/7Read more
Specialist engagements to uncover and address hidden cyber security risksRead more
Managed Security Services
Expert help to manage and monitor your choice of security technologiesRead more
Get in touch
Complete the form for a prompt response from our team.