Security audit. Implementation of standards. Managed Security
Implementation and support of ISO 27001, VDA, TISAX, PCI DSS, GDPR and other standards and regulations. Official certification
Find out also how we implemented ISO 27001 in a company that develops medical software.
Introduction to security standards
The international standard ISO/IEC 27001:2013 “Information technology – Security techniques – Information security management systems – Requirements” is the most recognized worldwide framework for building modern Information Security Management Systems (ISMS) and their official certification.
The Payment Card Industry Data Security Standard (PCI DSS) is an official regulation for any merchant and service provider who use payment card technology, either for card-present or card-not-present transactions (e. g. e-commerce). PCI DSS compliance is required for any organization that processes or stores cardholder data, i.e. has the Cardholder Data Environment (CDE).
Implementation and corresponding certification process for ISO 27001 and PCI DSS, from the point of view of service delivery, are similar. Compliance plays formal role, whereas actual security does not always correspond to the compliance status. Since we are practical security specialists and white-hat hackers, we help our customers to build not only formal compliance, but also actual protection from modern threats. Real security is not only a set of solutions, policies and procedures. It is also the culture of security, secure mindset and behavior of your personnel.
Our certifications (CISSP, ISO 27001 Lead Auditor, CISA, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management. When building an ISMS or security controls, we rely not only on ISO 27001/27002 or PCI DSS, but also actively use other standards and frameworks, when this is appropriate or explicitly required by our customers or their partners. For example, ISF SoGP (Information Security Forum Standard of Good Practice for Information Security), COBIT (Control Objectives for Information & Associated Technologies), VDA ISA (Verband der Automobilindustrie - Association of the Automotive Industry - Information Security Assessment), TISAX (Trusted Information Security Assessment Exchange), GDPR (General Data Privacy Regulation), and so on.
Our approach to implementation begins with simple steps in order to give you the first value for free, to introduce you to the process and to allow you to understand clearly the essence of the implementation works and your role in them.
Scoping and prioritization
We prepare individual self-assessment questionnaires for our customers, to start assessment of the current state of the ISMS or CDE. Then we define and document the scope (business processes, organizational divisions, premises, networks, sub-networks, network services, etc.), and detail the project plan for the initial audit and gap analysis.
Scope definition is crucial for ISO 27001 and PCI DSS. Any mistakes on this stage can lead to excessive implementation and maintenance works or to problems with the certification. In addition, we perform initial prioritization of tasks, to allow you to get the most important security measures as soon as possible.
We perform this stage for you free of charge. When you are sure that you are interested in working with us further, we will send you a commercial offer and sign a service agreement.
Initial audit, gap analysis and detailed project planning
We carry out this stage usually within 2 to 5 weeks, depending on the approved scope. During the initial audit, we interview the customer’s employees, verify documents, assess physical security and the perimeter, etc.
This stage includes analysis of the initial or current state of the processes and information security management controls, business processes and technological processes; analysis of the physical security of the premises, personnel, IT infrastructure, etc. The outcome of this stage is an initial audit report, gap analysis and a detailed schedule for the implementation of the ISO 27001 ISMS or PCI DSS controls.
The implementation plan takes into account the customer’s capability to perform part of the project tasks.
Implementation of the security processes and operations
This stage is usually performed during 2 to 9 months, depending on the approved scope, initial state, requirements and the results of the previous stage.
This stage includes implementation of:
- security policies and risk management;
- personnel security, physical security and supplier relationship security;
- asset and access management implementation;
- security operations and communications;
- network and system security;
- secure system life cycle, vulnerability management and security testing;
- security event monitoring and incident management;
- business continuity and disaster recovery planning;
- security effectiveness measurement, etc.
During the project, we constantly train your staff on what and how to do in order to build, maintain and develop an ISMS and/or PCI DSS controls. The result of this phase is not just a set of documents and records that correspond to your actual processes, but also a new security culture of your organization and the highest degree of readiness for official certification.
Certification process usually lasts for 1 to 2 months, depending on the approved scope. This stage includes selection of a certification body, pre-audit, corrective actions and certification audit.
First, we help you choose a certification body from a set of reputable, proven organizations, for example, the ones accredited by UKAS (for ISO 27001) or a good QSA company (for PCI DSS). We consult with the certifying organization on your behalf. We inform them about the completed implementation works and get their preliminary agreement for certification.
Then you make an agreement with the certification body directly. They conduct the pre-audit and find inconsistencies that always exist. Such is the nature of the work of real professional auditors. Further, during several days, we perform corrective actions.
Ultimately, the final certification audit is held, where we officially represent you and demonstrate what we have built for you. After that, you get the ISO 27001 or PCI DSS certificate and become officially compliant.
Outcomes of implementation
The following list is a set of ISMS documents and records, which conform to ISO 27001. The content of these documents and their relevance is checked during the certification audit.
Mandatory policies and procedures, required by ISO 27001:2013:
- Description of the Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3d)
- Risk treatment plan (clauses 6.1.3e and 6.2)
- Risk assessment report (clause 8.2)
Mandatory documents mentioned in Annex А of the ISO 27001:2013 (ISO 27002:2013):
- Bring your own device (BYOD) policy (clause A.6.2.1)
- Mobile device and teleworking policy (clause A.6.2.1)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Acceptable use of assets (clause A.8.1.3)
- Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
- Disposal and destruction procedures (clauses A.8.3.2 and A.11.2.7)
- Access control policy (clause A.9.1.1)
- Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
- Procedures for working in secure areas (clause A.11.1.5)
- Clear desk and clear screen policy (clause A.11.2.9)
- Operating procedures for IT management (clause A.12.1.1)
- Change management procedures (clauses A.12.1.2 and A.14.2.4)
- Backup policy (clause A.12.3.1)
- Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
Mandatory records mentioned in ISO 27001:2013 and ISO 27002:2013:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Inventory of assets (clause A.8.1.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
- Procedure for document control (clause 7.5)
- Controls for managing records (clause 7.5)
- Procedure for internal security audit (clause 9.2)
- Procedure for corrective action (clause 10.1)
- Business impact analysis (clause A.17.1.1)
- Exercising and testing plan (clause A.17.1.3)
- Maintenance and review plan (clause A.17.1.3)
- Business continuity strategy (clause A.17.2.1)
Please choose, what would you like more, to assess the compliance of your organization with ISO 27001 online in several minutes for free:
or to get free consultation on managed compliance: