Managed Security and Compliance
Audit, implementation and support of ISO 27001, PCI DSS, VDA ISA, TISAX, ISO 16949, ASPICE, HIPAA, GDPR, SOC2, and other standards and regulations. Official certification
Find out also how we implemented ISO 27001 in a company that develops medical software.
Introduction to security standards
The international standard ISO/IEC 27001:2013 “Information technology – Security techniques – Information security management systems – Requirements” is the most recognized worldwide framework for building modern Information Security Management Systems (ISMS) and their official certification. This standard is the key document in the ISO 27000 family of standards.
The Payment Card Industry Data Security Standard (PCI DSS) is an official regulation for any merchant or service provider who uses payment card technology, either for card-present or card-not-present transactions (e. g. e-commerce). PCI DSS compliance is required for any organization that processes or stores cardholder data, i.e. has the Cardholder Data Environment (CDE).
The implementation and the corresponding certification process for ISO 27001 and PCI DSS, from the point of view of service delivery, are similar. Compliance plays a formal role, whereas actual security does not always correspond to the compliance status. Since we are practical security specialists and white-hat hackers, we help our customers to build not only formal compliance but also actual protection from modern threats. Real security is not only a set of solutions, policies, and procedures. It is also the culture of security, secure mindset and behavior of your personnel.
Our certifications (CISSP, ISO 27001 Lead Auditor, CISA, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management.
When building an ISMS or security controls, we rely not only on ISO 27001/27002, but also actively use other standards and frameworks, when this is appropriate or explicitly required by our customers or their partners. For example:
- VDA ISA (Verband der Automobilindustrie Information Security Assessment), TISAX (Trusted Information Security Assessment Exchange), ISO/TS 16949, ASPICE (Automotive Software Performance Improvement and Capability dEtermination);
- PCI DSS (Payment Card Industry Data Security Standard), SWIFT Customer Security Controls Framework (CSCF);
- HIPAA (Health Insurance Portability and Accountability Act), HITECH (Health Information Technology for Economic and Clinical Health), HITRUST (Health Information Trust Alliance);
- GDPR (General Data Privacy Regulation);
- SOC 2 (System and Organization Control);
- ISF SoGP (Information Security Forum Standard of Good Practice for Information Security);
- COBIT (Control Objectives for Information and Related Technologies).
Our approach to implementation begins with simple steps so that you receive the first results for free. That would also introduce you to the process and help you understand how the implementation works and your role in it.
Scoping and prioritization
We prepare individual self-assessment questionnaires for our customers, to start an assessment of the current state of the ISMS or CDE. Then we define and document the scope (business processes, organizational divisions, premises, networks, sub-networks, network services, etc.), and detail the project plan for the initial audit and gap analysis.
Scope definition is crucial for ISO 27001, PCI DSS, VDA ISA/TISAX and many other standards. Any mistakes at this stage can lead to excessive implementation and maintenance works or unsuitable certification results. Also, we perform the initial prioritization of tasks, to allow you to get the most important security measures as soon as possible.
We perform this stage for you free of charge. When you are sure that you are interested in working with us further, we will send you a commercial offer and sign a service agreement.
Initial audit, gap analysis, and detailed project planning
We carry out this stage usually within 2 to 5 weeks, depending on the approved scope. During the initial audit, we interview the customer’s employees, verify documents, assess physical security and the perimeter, etc.
This stage includes analysis of the initial or current state of the processes and information security management controls, business processes and technological processes; analysis of the physical security of the premises, personnel, IT infrastructure, etc. The outcome of this stage is an initial audit report, gap analysis and a detailed schedule for the implementation of the ISO 27001 ISMS or PCI DSS controls.
The implementation plan takes into account the customer’s capability to perform part of the project tasks.
Implementation of the security processes and operations
This stage is usually performed within 2 to 9 months, depending on the approved scope, initial state, requirements and the results of the previous stage.
This stage includes the implementation of:
- security policies and risk management;
- personnel security, physical security, and supplier relationship security;
- asset and access management implementation;
- security operations and communications;
- network and system security;
- secure system life cycle, vulnerability management, and security testing;
- security event monitoring and incident management;
- business continuity and disaster recovery planning;
- security effectiveness measurement, etc.
During the project, we constantly train your staff on what to do and how to do it in order to build, maintain and develop an ISMS and/or PCI DSS controls. The result of this phase is not just a set of documents and records that correspond to your actual processes, but also a new security culture for your organization and the highest degree of readiness for official certification.
The certification process usually lasts 1 to 2 months, depending on the approved scope. This stage includes the selection of a certification body, pre-audit, corrective actions, and certification audit.
First, we help you choose a certification body from a set of reputable organizations, for example, the ones accredited by UKAS (for ISO 27001) or a good QSA company (for PCI DSS). We consult with the certifying organization on your behalf. We inform them about the completed implementation works and get their preliminary agreement for certification.
Then you make an agreement with the certification body directly. They conduct the pre-audit and find inconsistencies that always exist. Such is the nature of the professional auditors’ work. Then, we perform corrective actions, and it usually takes several days.
Lastly, the final certification audit is held, where we officially represent you and demonstrate what we have built for you. After that, you get the ISO 27001 or PCI DSS certificate and become officially compliant.
Outcomes of implementation
The following list is a set of ISMS documents and records, which conform to ISO 27001. The content of these documents and their relevance is checked during the certification audit.
Mandatory policies and procedures, required by ISO 27001:2013:
- Description of the Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3d)
- Risk treatment plan (clauses 6.1.3e and 6.2)
- Risk assessment report (clause 8.2)
Mandatory documents mentioned in Annex А of the ISO 27001:2013 (ISO 27002:2013):
- Bring your own device (BYOD) policy (clause A.6.2.1)
- Mobile device and teleworking policy (clause A.6.2.1)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Acceptable use of assets (clause A.8.1.3)
- Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
- Disposal and destruction procedures (clauses A.8.3.2 and A.11.2.7)
- Access control policy (clause A.9.1.1)
- Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
- Procedures for working in secure areas (clause A.11.1.5)
- Clear desk and clear screen policy (clause A.11.2.9)
- Operating procedures for IT management (clause A.12.1.1)
- Change management procedures (clauses A.12.1.2 and A.14.2.4)
- Backup policy (clause A.12.3.1)
- Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
Mandatory records mentioned in ISO 27001:2013 and ISO 27002:2013:
- Records of training, skills, experience, and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Inventory of assets (clause A.8.1.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
- Procedure for document control (clause 7.5)
- Controls for managing records (clause 7.5)
- Procedure for internal security audit (clause 9.2)
- Procedure for corrective action (clause 10.1)
- Business impact analysis (clause A.17.1.1)
- Exercising and testing plan (clause A.17.1.3)
- Maintenance and review plan (clause A.17.1.3)
- Business continuity strategy (clause A.17.2.1)
Click the button below to assess the compliance of your organization with ISO 27001 online in several minutes for free:
Click this button to get a free consultation on managed compliance: