ISO 27001

ISO 27001 Audit

Our ISO 27001 Audit service provides a thorough and structured approach to help your organization achieve compliance with ISO/IEC 27001:2022. The process is divided into two primary stages:

Stage 1: ISMS Audit Scoping

This phase focuses on understanding your organization’s Information Security Management System (ISMS) and determining the audit scope. Our tasks include:

  • Organizational Analysis: Reviewing your company’s structure and roles.
  • Interviews with Management: Gaining insights into leadership’s approach to information security.
  • Process and Asset Review: Analyzing critical business processes and identifying key assets (information systems, data, personnel, service providers).
  • Scope Definition: Identifying departments and systems involved in critical processes.

Deliverable: An approved ISMS Audit Plan that outlines the audit scope and strategy.

Stage 2: GAP Assessment

The GAP Assessment evaluates the current state of your ISMS against the ISO/IEC 27001:2022 standard. It involves:

  • Policy and Control Review: Analyzing existing information security policies, procedures, and controls.
  • Stakeholder Interviews: Engaging with business process owners, IT, and IS specialists to gather insights on:
    • Information security policies, governance, and awareness.
    • Asset management and data classification.
    • Access control, identity management, and third-party security.
    • Business continuity, compliance, and independent reviews.
    • IT operations, physical security, and endpoint protection.
    • Malware protection, configuration management, and data security.
    • Network security, cryptography, and secure development practices.

Deliverable: The “ISMS Audit Report,” which includes:

  • Assessment of compliance with ISO/IEC 27001:2022 requirements.
  • Evaluation of the maturity of your ISMS.
  • Recommendations to address identified gaps.
  • Templates for internal documents (if necessary).

Basis of Work

The audit process adheres to the following standards:

  • ISO/IEC 27001:2022: Information Security Management.
  • ISO/IEC 27002:2022: Controls and guidelines for implementing an ISMS.
  • ISO/IEC 27003:2017: Guidance on the ISMS implementation process.
  • ISO/IEC 27005:2022: Information security risk management.
  • ISO/IEC 27007:2020: Guidelines for auditing information security management systems.

Frequently Asked Questions (FAQ)

  • 1: What is ISO 27001?

    ISO 27001 is an international standard for managing information security. It provides a framework for an Information Security Management System (ISMS) to protect data and systems.

  • 2: How long does an ISO 27001 audit take?

    The timeline depends on the size and complexity of the organization, typically taking 3 to 6 months from scoping to the completion of the audit.

  • 3: What is an ISMS?

    An Information Security Management System (ISMS) is a set of policies, procedures, and controls designed to manage information security risks and ensure compliance with standards like ISO 27001.

  • 4: What is the purpose of a GAP Assessment?

    The GAP Assessment identifies areas where your ISMS does not meet ISO 27001 requirements and provides recommendations to achieve compliance.

  • 5: What happens after the GAP Assessment?

    Based on the findings of the GAP Assessment, we provide recommendations for remediation, which may involve policy updates, control implementations, or process improvements.

  • 6: Can I implement ISO 27001 on my own?

    While it’s possible to implement ISO 27001 internally, working with experienced consultants ensures that you efficiently meet compliance requirements and avoid common pitfalls.

  • 7: What happens if non-compliance is found during the audit?

    If non-compliance is identified, we will help you develop and implement a corrective action plan to address the issues and ensure full compliance before certification.

  • 8: How often do I need to be re-audited for ISO 27001?

    After initial certification, an organization undergoes annual surveillance audits to ensure continued compliance. A full recertification audit is typically required every three years.