Having been involved in implementing ISO 27001, the International Standard for Information Security Management Systems (ISMS’), since its inception, URM has unrivalled insights into the Standard’s requirements and how best to satisfy them. URM is adept at supporting all stages of the ISO 27001 lifecycle, from conducting gap analyses and risk assessments through to ongoing management system and control audits. URM can offer your organisation full lifecycle services or one of the more specific services detailed below.
With the publication of ISO 27001:2022 on 25 October 2022, URM is ideally placed to help organisations certify against the updated Standard. Should you already be certified to ISO 27001:2013, we can provide you with the following practical support to help you quickly and seamlessly transition to the 2022 version of the Standard:
- Consultancy services where we will work with you in a bespoke manner to prepare for, and successfully transition to, the 2022 version of the Standard
- 1-day ISO 27002:2022 Control Migration and our 2-day ISO 27001:2022 Transition training courses
- Automated risk assessment tool Abriska, which has been updated with the new control set (see webinar 2 November)
If you are not certified, now has never been a better time to develop an information security management system and achieve certification. URM can help you with the services listed below. If you would like to understand more about the benefits and what’s involved in implementing ISO 27001, please register your interest here and we will be in touch.
URM will assess both your existing information security framework or management system and your information security controls. With regard to the former, our consultants will review both your documentation and your working practices in order to identify what gaps exist in relation to the requirements contained in the mandatory clauses (4-10) of ISO 27001. Similarly, with regard to the information security controls or measures, we will identify what gaps exist in relation to the controls of Annex A of the Standard.
ISO 27001 is fundamentally a risk-based standard, where you can identify the risks that are specific to your organisation’s information assets and how best to treat them based on your risk appetite. Utilising its ISO 27001 proven risk assessment tool Abriska, URM can assist you not just in identifying the threats to your information assets, but the likelihood and impact of them occurring. Once you have identified your greatest risks, you are then able to prioritise your risk treatment activities and maximise your time, effort and budget. With Abriska, you will also be able to run all the necessary (ISO 27001) reports, i.e., Statement of Applicability (SoA), risk register and risk treatment plan (RTP).
Developing Policies and Processes
The risk assessment will determine what policies and processes need to be developed and implemented. Some may be existing policies and processes which need amending or refining, whereas others may need to developed from scratch. Whichever it is, URM will ensure they are developed with 2 goals in mind. Firstly, they will be tailored to match your culture and style and reflect what you actually do. Secondly, our consultants will ensure that anything produced will fully meet the requirements of ISO 27001. URM can assist you in the development of your IS Policy, along with all the supporting policies and processes.
Developing your ISMS Framework and Infrastructure
In order to conform with the requirements of ISO 27001, you will need to establish a framework and management system. URM will draw upon its experience and help you establish some of the key components such as:
- An information security forum (ISF)
- Monitoring and measurement mechanisms for management systems
- An information security training and awareness programme.
Auditing plays a critical role in ensuring that your organisation’s management system is operating effectively. A significant challenge for many organisations is a lack of sufficiently competent resources or those with sufficient impartiality to cover all auditing needs. With URM, our auditors are skilled and knowledgeable not only in audit techniques, but also in the subject of the audit, whilst at the same time demonstrating independence from the area being audited. URM can offer your organisation a flexible range of audit services from planning and implementing a full 3 year’ ISO 27001 audit programme, to conducting individual audits against any aspect of the ISMS or any specific controls.
Full Implementation Support
As well as providing consultancy support against the above-mentioned areas, URM’s consultants can also provide guidance and knowledge transfer across the full ISO 27001 implementation lifecycle. Furthermore, URM can offer your organisation 2 levels of support:
- The first level of support is where URM takes the lead in terms of development, and you review and approve
- The second level of support involves URM providing a ‘light touch’ advisory and mentoring service, with you taking responsibility for developing your ISMS and URM reviewing all outputs to assess if they fully meet the relevant requirements of the Standard.
Interim Information Security Manager
A further ISO 27001 service we can provide is our Interim Information Security Manager Service to cover for absence or while you recruit a permanent resource. Equally, URM’s interim resource may be required to manage a specific project, e.g., implementing a management system or complying with a new regulation, or addressing a turnaround or change requirement.
Why URM for ISO 27001?
Risk management expertise
Getting the assessment and management of information security risk right is critical. It is also an area where URM excels and where clients can take advantage of URM’s in-house risk management module, Abriska, with its robust and proven risk assessment methodology and the extensive experience and expertise of its consultants.
Achieving optimum balance
When helping develop your ISMS, URM’s goal is to achieve the optimum balance between meeting the mandatory management system requirements of ISO 27001 and ensuring your management system is fully sustainable and tailored to your organisation’s size, culture and business objectives
URM has an unparalleled track record of assisting over 300 organisations to achieve and maintain certification to ISO 27001 and is proud to have never been involved in a failed certification project. Our clients have ranged in size from micro businesses to multinationals and come from a diverse range of market sectors and, due to our tailored approach, every one of the 300+ implemented ISMS’ has been different.
Stay in the loop
Please provide your contact details and we will email you with details of ISO 27001:2022, along with the contents of URM’s online 1 day ISO 27002:2022 Control Migration and 2 day ISO 27001:2022 Transition courses.
Annex A of ISO 27001 comprises 114 controls which are grouped into the following 14 control categories. Each of the 14 categories and provide you with a clear explanation of the primary objective...
In this blog, we want to dig a bit deeper into the benefits that are gained from implementing the Standard and from achieving certification...
The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.