ISMS & ISO27001

ISMS and ISO27001 in brief

Benefits of establishing and operating an Information Security Management System (ISMS) within the organization is indisputable. Processes and documented procedures are an important part of the management system. They help improve and optimize secure and risk-based security operations, ensure uninterrupted continuation of critical operations during the company’s transformation phases, and reduce duplicative efforts. Information security management system is a formal way of bringing together all security-related activities, acting in a controlled manner – and eventually showing all this to the world outside.

We can help you build a management system that conforms to the ISO 27001 standard and also looks like and adapts to the size of your company. Formal certification is not a starting point, but rather credible-looking security — thought not home-grown. If you later decide to become formally certified or, for example, start trading with a certified company, you can utilize the management system as evidence that you are compliant, at an early stage.

What Mint Security delivers

We deliver and develop information security management systems (ISMS) based on ISO 27001 standard. We know how to scale common reference frameworks to suit the needs of companies of different shapes and sizes. We have implemented management systems for companies operating in heavily regulated industries and also for small companies that work with customers many times their own size — but yet speaking the same security language.

The competitive advantage
We always strive to bring out the competitive advantage of information security. We understand that good security comes with a cost. Security is like insurance; it manages risks. But it would be simply foolish not to take full advantage of it.
Law and regulation
Everyone has to comply with laws and regulations. Some more than others. Some almost drown in it. But no one loves regulation. We know how to take advantage of this and it shows in our results.
Previous slide
Next slide

We guide and advise our client throughout the project – up to the certification, if that’s what our client seeks for. We participate in the development of processes, the risk register and security controls as necessary. The customer can choose the degree of our participation – if desired, only act as a proofreader and coach. This depends on the customer’s own resources, schedules and, of course, expertise. On top of it all, we can also provide training and process implementation.

With us, our customer can get up to a point where a third-party audit may take place. The certification audit is always performed by someone other than the one who has been involved in the project (this is already required by good management practice, but also by incapabilities between the author and the assessor). We do not conduct ISO 27001 certification audits.


We usually start the project with an ISO workshop. The workshop reviews the standard and the prerequisites for certification. We present the processes required by the standard as well as the necessary documents and operating models. It is important to present the subject as a whole to the top management as well. Management’s commitment to the project and it’s results – and in particular to the ongoing work and organization it requires – is extremely important.

Team workshop

The topics of the workshop vary according to the industry in question, and the implementation is generally based on the terms of the company’s maturity in information security. At a minimum, the following issues will be addressed in the workshop:

  • What is ISMS and ISO 27001 ?
  • Security goals and objectives
  • Roadmap and achieving the goals in the desired timeframe
  • What needs to be documented – mandatory documents
  • Industry standards and frameworks that guide company’s operations
  • Company’s certification goals – whether the goal is a formal certification or just acting in a formal manner
  • Minimum requirements set by the ISMS and how to achieve them
  • Annual wheel and organization
  • Risk register, risk management and how they relate to information security
  • Audits, audit planning and audit objectives
  • The role of continuity in information security
  • information security requirements and objectives in application and product development
  • Information security requirements and objectives for infrastructure, cloud and other production environments
  • Technical solutions: log management, risk register, incident management, vulnerability scanning, code scanning
  • Identifying existing abilities and reflecting on what can be purchased as a service now and later on

We carefully prepare the workshop by, among other things, getting to know the industry, the company itself and your organization. We will also review and evaluate any documents submitted to us in advance. During the workshop, we will present the standard and build an understanding of what the project’s certification capabilities will be like. As a deliverable of the workshop, a preliminary plan for the project and first steps of the project will be created. If necessary, we will also interview representatives of different stakeholders during the day, separately.

The workshop has a fixed price, to keep the initial cost in full control.

The project

An ISMS or ISO27001 project can start from various starting points. However, what all cases usually have in common is a specific requirement from customers or the operating environment, that is difficult to address by other means than with a documented security management system. In addition, at the beginning of the project, there are also notions about one’s own abilities and a realistic schedule.

The project will create all the necessary processes, documents and other items required by the standard. We like to operate on a sprint basis, allowing the client to estimate costs. It also enables us to estimate our workloads in a controlled manner, as the project progresses. Our expertise helps you to keep the focus on doing the right things all the time. We make sure that tasks are done with the required care and precision – but also that unnecessary and overwhelming solutions are not made.

Solely focusing on implementation based on the ISO27001 Annex A – ISO27002 in practice, is often not directly very fruitful. Each control described in Annex A must reflect the involved risk. Risk assessment, on the other hand, is guided by which asset it belongs to, and what is the importance of this particular asset to the company. The importance to the company, on the other hand, is derived directly from business and continuity needs – the critical functions of the company.

Customer needs and challenges to be solved

Precise implementation of individual security requirements is, of course, possible, but inefficient in the long run. Individual actions turn into an endless and almost uncontrollable todo-list or a backlog that requires constantly being on guard. In particular, this makes it impossible to demonstrate the control measures and their effectiveness – that is, what either the regulation or the customers are really demanding. This takes both time and money, and the most miserable thing is that doing so usually repeats itself, no mistakes are learned, and the actual security dispatch reaches just about… no one.

In many organizations, security considerations have generally already been taken into account in some way at a practical level, but their effectiveness or impact cannot be properly measured – nor can the gained advantage be fully exploited. A company may already have previously written more or less structured security documentation – perhaps made for a particular need or for a specific, already past project. With the right kind of management, these existing materials and practices can also be harnessed to be useful for other purposes.

When describing processes, and especially the implementation of processes, it is important to demonstrate that the process is continuous and that there are repetitive and systematic activities present, on an annual basis. Of course, in addition to demonstrating, it is also important to act in accordance with your own operating models in each situation. Information security is part of quality control and the quality promise.

More details about our methods and tools

We use the entire ISO 27000 family of standards to support our work. In addition, we have in our toolkit knowledge of the various reference frameworks that support the standards, such as OWASP SAMM and BSIMM on the application development side, as well as cyber security requirements of the financial industry. For technical cloud controls, we geneally apply CSA guidelines and materials. We are able to integrate vulnerability management practices into our operations. We have our own customizable solution for risk register and incident management.

We do agile projects that generate profit and value. During the project, the expertise of our entire team, from risk analysis to security testing of certain technical controls, is at your disposal.

Multiple frameworks - one job
We use reference frameworks to our advantage. We have readily available practices for parallel comparison of different standards and requirements frameworks. We strive to do things properly in the first run - and showcase our success from various perspectives.
Regulations and standards
We float swimmingly in the depths of regulations and standards. In particular, we scale down so that even small businesses can benefit from official standards - without drowning in bureaucracy. This is, in fact, a case that most often comes up.
Best practices
We implement standards and regulations, and also make use of ready-made preforms and tools in the market. We reconcile your working methods, best practices and official standards.
Previous slide
Next slide
Reference materials

Case: How we helped achieve ISO 27001 certification

This is a case-study about the certification path of, a very small startup company, its SaaS product and high ambitions aiming towards a global market. encountered the same issues so many others have faced before and will in the future – the dreaded procurement Excel-sheets with seemingly endless amounts of security requirements that need to be addressed before any business deals can go ahead.

Read More »
Saku performing a security review
Saku Tuominen

Internal audit – Using internal or external resources?

As part of the ISO/IEC 27001 certification process, organizations must conduct regular internal audits to ensure compliance and identify areas for improvement. One common dilemma faced by businesses is whether to conduct these audits internally or engage an external company to do it.

Read More »
Writing requirements
Saku Tuominen

ISO 27001 – Essential requirements

All organizations are unique in their security needs and capabilities, and ISO 27001 does not seek to change that fact. The standard guides the adoption of appropriate processes and practices to improve, clarify, and maintain information security as an integral part of day-to-day operations.

Read More »
Elina Partanen

Risk management and ISO 27001

Do you seek ISO 27001 compliance? Thomas has blogged about starting points for ISO 27001 certification project. This blog unwraps the importance of risk management in pursuit of ISO 27001 certification.

Read More »

contact us

Please do contact us. We most likely respond faster than you thought,