- You will need to provide essential information for the project to proceed to on schedule and fulfil its objectives. This will be managed so as to minimise any disruption, but it is essential that your staff give any requests the appropriate priority.
- You must provide sufficient resources to implement any security controls required over and above those that are already in place, and implement any monitoring and measurement arrangements that are recommended.
- You will need to appoint an internal project coordinator to host the online meetings and to ensure all required information is provided on time and that tasks and actions allocated to your staff are carried out as agreed.
This package is ideal for organisations of 19 people and fewer, including the CEO and management / executive team.
Cyber security requirements:
You should already have a basic level of cyber security in place (e.g. those measures indicated by the UK Government for small businesses. We advise clients to either have achieved Cyber Essentials certification (a UK cyber security standard) or be planning to achieve Cyber Essentials certification in parallel with their ISO 27001 project.
Please see the section on Cyber Essentials at the end of this document for more information.
You will be assigned a qualified consultant who will work with you and undertake all the key activities of setting up a working ISO 27001 Information Security Management System which reflects your business objectives and requirements, and is suitably scaled to the size of your organisation.
The project follows our experts proven methodology for implementing an ISMS.
1. Project mandate
The first stage focuses on collating information relating to your commitment to proceed with the project and producing an information security policy that reflects the appropriate objectives for your organisation. This will define the scope of the ISMS and facilitate the mandated management approval of essential documents.
2. Project initiation
This stage develops the project’s goals and ensures that both the project and theISMS succeed in delivering the objectives. With a project plan and key deliverydates in place, it’s easy to keep track of the achievement of milestones andensure the project is delivered on time.
3. ISMS initiation
The third stage involves compiling a list of the requirements of each ISMS process and the tasks required to develop and implement them. These will relate directly to the principal stages in the project plan and inform the assignment of tasks required to execute the plan.
4. Management framework
This stage addresses the critical ISO 27001 requirements relating to organizational context, scope and leadership, and ensures that the ISMS framework is aligned with and supports the delivery of business objectives.
5. Baseline security criteria
Any organisation already has a number of security controls in place. Ensuring these existing security controls meet the requirements of the relevant legislation, regulations and contracts early in the project can ensure an effective information security stance.
6. Risk management
This stage covers the development of a robust information security risk process and identification of appropriate information security risk treatments and controls. The default approach is an asset-based risk assessment, unless specifically required otherwise and results in the essential Risk Treatment Plan (RTP) and Statement of Applicability (SoA).
The implementation phase addresses both management system processes and information security controls to make sure that the design of the ISMS and operation of its processes are carried out in an appropriate manner.
Your consultant will work with you to develop the necessary documentation based upon a consolidated workbook that forms the basis for the ISMS. Your consultant will also help arrange access to online information security staff awareness training, which will ensure you meet this specific requirement of the Standard.
8. Measure, monitor and review
This phase establishes the effectiveness of the ISMS based upon measurable parameters, including ISMS processes and security controls. Key areas include an internal ISMS audit and management review; your consultant will facilitate the first management review meeting.
9. Certification audit
We will plan, conduct, report and follow-up on the necessary internal audit prior to the certification audit.
One day’s support will be available during the stage two certification audit.
Certification success guarantee:
We guarantee that you will achieve certification within the timeline of the agreed ISO 27001 project. This guarantee – which is subject to contract and to you providing the agreed resource and executing the project plan – ensures that we will meet any and all extra direct remedial costs necessary to ensure that you pass your final certification audit.
We support the integrity of the accredited certification process, which is governed by the International Accreditation Forum (IAF) and the national accreditation bodies that are its members, and ensures that certification bodies do not certify their own work. Accredited certificates are widely recognized as credible assurance regarding an organisation’s information security capabilities and, as part of the ISO 27001 Consultancy, we will help you select an independent, accredited certification body to suit your budget, location, timescale and organizational culture.
Next steps: maintaining your ISMS:
As your organisation grows, you will need to develop and expand your documentation appropriately. Maintaining a healthy ISMS is a commitment that extends beyond certification, and you will need to set aside additional resources to ensure ongoing compliance with the requirements of ISO 27001.
About Cyber Essentials:
Cyber Essentials is a UK government scheme that describes a set of five basic technical security controls that need to be reflected in your information security stance.
We will invoice you for your project on signature.
Payment is due within 28 days of invoice date.
This does not include the costs of accredited certification, which you pay directly to your chosen independent certification body.
ISO27001 Online Consultancy Service fees do not include travel and subsistence expenses, which will vary depending on your location, and are invoiced monthly at cost.
Ensure your organisation achieves ISO 27001 compliance in just a few months.