ISMS & ISO27001
ISMS and ISO27001 in brief
Benefits of establishing and operating an Information Security Management System (ISMS) within the organization is indisputable. Processes and documented procedures are an important part of the management system. They help improve and optimize secure and risk-based security operations, ensure uninterrupted continuation of critical operations during the company’s transformation phases, and reduce duplicative efforts. Information security management system is a formal way of bringing together all security-related activities, acting in a controlled manner – and eventually showing all this to the world outside.
We can help you build a management system that conforms to the ISO 27001 standard and also looks like and adapts to the size of your company. Formal certification is not a starting point, but rather credible-looking security — thought not home-grown. If you later decide to become formally certified or, for example, start trading with a certified company, you can utilize the management system as evidence that you are compliant, at an early stage.
What Mint Security delivers
We deliver and develop information security management systems (ISMS) based on ISO 27001 standard. We know how to scale common reference frameworks to suit the needs of companies of different shapes and sizes. We have implemented management systems for companies operating in heavily regulated industries and also for small companies that work with customers many times their own size — but yet speaking the same security language.
We guide and advise our client throughout the project – up to the certification, if that’s what our client seeks for. We participate in the development of processes, the risk register and security controls as necessary. The customer can choose the degree of our participation – if desired, only act as a proofreader and coach. This depends on the customer’s own resources, schedules and, of course, expertise. On top of it all, we can also provide training and process implementation.
With us, our customer can get up to a point where a third-party audit may take place. The certification audit is always performed by someone other than the one who has been involved in the project (this is already required by good management practice, but also by incapabilities between the author and the assessor). We do not conduct ISO 27001 certification audits.
We usually start the project with an ISO workshop. The workshop reviews the standard and the prerequisites for certification. We present the processes required by the standard as well as the necessary documents and operating models. It is important to present the subject as a whole to the top management as well. Management’s commitment to the project and it’s results – and in particular to the ongoing work and organization it requires – is extremely important.
The topics of the workshop vary according to the industry in question, and the implementation is generally based on the terms of the company’s maturity in information security. At a minimum, the following issues will be addressed in the workshop:
- What is ISMS and ISO 27001 ?
- Security goals and objectives
- Roadmap and achieving the goals in the desired timeframe
- What needs to be documented – mandatory documents
- Industry standards and frameworks that guide company’s operations
- Company’s certification goals – whether the goal is a formal certification or just acting in a formal manner
- Minimum requirements set by the ISMS and how to achieve them
- Annual wheel and organization
- Risk register, risk management and how they relate to information security
- Audits, audit planning and audit objectives
- The role of continuity in information security
- information security requirements and objectives in application and product development
- Information security requirements and objectives for infrastructure, cloud and other production environments
- Technical solutions: log management, risk register, incident management, vulnerability scanning, code scanning
- Identifying existing abilities and reflecting on what can be purchased as a service now and later on
We carefully prepare the workshop by, among other things, getting to know the industry, the company itself and your organization. We will also review and evaluate any documents submitted to us in advance. During the workshop, we will present the standard and build an understanding of what the project’s certification capabilities will be like. As a deliverable of the workshop, a preliminary plan for the project and first steps of the project will be created. If necessary, we will also interview representatives of different stakeholders during the day, separately.
The workshop has a fixed price, to keep the initial cost in full control.
An ISMS or ISO27001 project can start from various starting points. However, what all cases usually have in common is a specific requirement from customers or the operating environment, that is difficult to address by other means than with a documented security management system. In addition, at the beginning of the project, there are also notions about one’s own abilities and a realistic schedule.
The project will create all the necessary processes, documents and other items required by the standard. We like to operate on a sprint basis, allowing the client to estimate costs. It also enables us to estimate our workloads in a controlled manner, as the project progresses. Our expertise helps you to keep the focus on doing the right things all the time. We make sure that tasks are done with the required care and precision – but also that unnecessary and overwhelming solutions are not made.
Solely focusing on implementation based on the ISO27001 Annex A – ISO27002 in practice, is often not directly very fruitful. Each control described in Annex A must reflect the involved risk. Risk assessment, on the other hand, is guided by which asset it belongs to, and what is the importance of this particular asset to the company. The importance to the company, on the other hand, is derived directly from business and continuity needs – the critical functions of the company.
Customer needs and challenges to be solved
Precise implementation of individual security requirements is, of course, possible, but inefficient in the long run. Individual actions turn into an endless and almost uncontrollable todo-list or a backlog that requires constantly being on guard. In particular, this makes it impossible to demonstrate the control measures and their effectiveness – that is, what either the regulation or the customers are really demanding. This takes both time and money, and the most miserable thing is that doing so usually repeats itself, no mistakes are learned, and the actual security dispatch reaches just about… no one.
In many organizations, security considerations have generally already been taken into account in some way at a practical level, but their effectiveness or impact cannot be properly measured – nor can the gained advantage be fully exploited. A company may already have previously written more or less structured security documentation – perhaps made for a particular need or for a specific, already past project. With the right kind of management, these existing materials and practices can also be harnessed to be useful for other purposes.
When describing processes, and especially the implementation of processes, it is important to demonstrate that the process is continuous and that there are repetitive and systematic activities present, on an annual basis. Of course, in addition to demonstrating, it is also important to act in accordance with your own operating models in each situation. Information security is part of quality control and the quality promise.
More details about our methods and tools
We use the entire ISO 27000 family of standards to support our work. In addition, we have in our toolkit knowledge of the various reference frameworks that support the standards, such as OWASP SAMM and BSIMM on the application development side, as well as cyber security requirements of the financial industry. For technical cloud controls, we geneally apply CSA guidelines and materials. We are able to integrate vulnerability management practices into our operations. We have our own customizable solution for risk register and incident management.
We do agile projects that generate profit and value. During the project, the expertise of our entire team, from risk analysis to security testing of certain technical controls, is at your disposal.
How much common ground is shared between technical vulnerability scanners and the de facto global information security standard? Quite a lot, actually. In this blog post we examine how Holm Security VMP platform meets ISO 27001 requirements for detecting vulnerabilities in an organization’s information systems, assessing the involved risks and taking corrective actions.
Planning for an industry standard compliant information security management system — in brief: carrying out an ISO 27001 project — can break cover from various starting points. Some organizations have already familiarized themselves with the standard, some have even written the first mandatory documents. Yet for many, this article could be the first contact with any form of security work at all.