Implement ISMS according to ISO 27001
Protect your sensitive business information according to best practices.
The steps to your ISMS according to ISO 27001
ISO 27001 Gap Analysis
The first step is an ISO 27001 gap analysis. Our ISO 27001 specialists survey and assess - through a mixture of document review and interview sessions with the relevant departments - the status of your current implementation, based on the requirements of ISO 27001.
This ISO 27001 gap analysis gives you and us a clear picture and enables us to realistically estimate the implementation effort, clearly structure the project and define the required work packages.
If you have already performed a gap analysis, we will work with it and not perform it again.
ISO 27001 Gap Analysis
'Where do you stand today?'Establish Framework
Once we have identified the areas of action, we work with you to create the framework and foundation for a functioning ISMS in accordance with ISO 27001:
- We define the scope, based on the requirements of your stakeholders (e.g. management, parent company, ordering parties or business contacts).
- We define and establish the security policy and objectives.
- We determine the required security organization, including roles, committees and their responsibilities.
- We establish the necessary project organization for the development of the ISMS.Â
Establish Framework
'Lay the right foundation'Create policies
We can only achieve the defined information security goals by establishing clear and unambiguous rules. We define these "rules" in various guidelines, both for all employees in the scope of the ISMS and for specific areas or target groups (e.g., IT admins, software development, purchasing, human resources, or facility management).
We do not reinvent the wheel here, but use our numerous templates, which have already been successfully tested in practice for several years and are regularly updated so that they always reflect the state of the art.
We agree the created guidelines with the necessary people in the specialist departments and integrate them into the relevant business areas.Â
Create policies
"No ISMS according to ISO 27001 without clear rules"Information Security Risk Management
Information security risk management (InfoSec Risk Management) is the heart of an effective ISMS according to ISO 27001, because it helps you to distinguish the important from the unimportant and always proceed pragmatically.Â
Jointly with you, we create the necessary structural and procedural organization to identify, assess, deal with (i.e. derive appropriate measures) and document all relevant information security risks in a structured and systematic manner.
If you already operate a risk management system or have your own risk management approach in your company, we will base our work on this and, if necessary, enrich it with relevant aspects of ISO 27001 that are missing.
Information Security Risk Management
"Identify risks and derive measures"Implement measures
Now it's time to implement the defined measures. In this phase, we provide very targeted coaching and also support you as needed in the event of any resource bottlenecks. It is important to us to prepare you or a member of your team as best as possible for your tasks as an information security officer.
During implementation, we place great emphasis on practicable solutions, i.e., on ensuring that the measures
- contribute to achieving the desired level of security,
- are economical and feasible, and
- still meet the requirements of ISO 27001 incl. Annex A..
Implement measures
"Eliminate deficits and implement requirements"Pre-audit & preparation session
ISO 27001 requires that you regularly perform internal ISMS audits in order to be ready for certification - with good reason. We support you in planning and conducting your internal ISO 27001 "pre-audit" here as well.
To ensure that we do not audit our own work here - which could lead to a significant conflict of interest - the internal ISMS audit is performed by an external ISO 27001 auditor from our partner network, who was not involved in setting up the ISMS in your company and is correspondingly neutral and independent.Â
These 'pre-audits' deliver a high level of benefit:
- You receive a realistic status on your status and progress.
- They fulfill the ISO 27001 requirement to conduct internal audits.
- You prepare audit participants for the real audit sessions. If necessary, we coach the participants to confidently avoid "typical faux pas" in the real audit.
Pre-audit & preparation session
"Let's see how a certification would work"ISO 27001 Certification
The final step for most companies is ISO 27001 certification. This must be carried out by an accredited certification body. Although we ourselves act as ISO 27001 auditors for the certification body TĂœV Nord CERT, we cannot audit you because we have already accompanied you in setting up your ISMS. After all, we cannot certify our own work.
But we can gladly establish contact with the certification bodies.
ISO 27001 Certification
"The reward of work - give me the certificate"What is an ISMS according to ISO 27001?
The ISO 270xx series of standards is a collection of specifications and recommendations for security procedures and methods to plan, implement, operate and optimize an ISMS. These specifications can be used by companies or organizations of any size and in any industry.
The ISO 27001 standard is designed to be flexible, i.e., it does not recommend specific security solutions or discourage specific alternative solutions. ISO 27001 is a certifiable standard that is internationally recognized and widely used. It also lays the foundation for many other specific standards and best practice collections.
An ISMS according to ISO 27001 consists of
- the PDCA cycle (Plan - Do - Check - Act),
- a risk-based approach, and
- the recommended measures (Annex A).