Contact us at +3233693396 or firstname.lastname@example.org for more info or to discuss how you can get ISO 27001 certified.
About ISO 27001 and certification
ISO 27001:2013 is an international standard for implementing a solid Information Security Management System (ISMS). An ISMS allows you to reach a higher level of maturity in security by implementing a never ending cycle of improvements (the Deming Cycle) to information security.
ISO27001 is an implementation of an ISMS. It is not the only one, but it is internationally accepted by many large organizations and governments as the way to go about implementing information security. ISO 27001 will allow for a broad view of information security and covers all levels and subjects. So it helps to cover all the bases.
More information can be found on the website of ISO.
Why implement ISO 27001 and get certified?
Implementing ISO 27001 is a good way of managing security, but an even better way of proving that you are doing a good job.
A company that is serious about protecting information, will try implement ISO 27001 in its important business processes. Many governments around the world agree with this and so ISO 27001 is widely seen as a good way to show compliance to other laws and regulations:
- GDPR (General Data Protection Regulation) in the EU. The Data Protection Authority considers ISO 27001:2013 certification an objective piece of evidence for adequate protection measures for personal data as required by Article 32. They refer to the standard on their website.
- NIS regulation (Critical infrastructure) – the EU has already specified that ISO 27001 is the best way to prove compliance and national governments are likely to follow
- Sector specific regulations such as NEN7510 (Healthcare) in The Netherlands are often based on ISO.
In the business to business market, e.g. in finance and healthcare, many large organisations demand adherence to or even certification against ISO 27001 of their suppliers. For them it is the best way to force good security practices on their suppliers, without having to audit them all themselves.
ISO 27001 has therefore also become a great marketing and sales support tool for any serious company to show their clients how they handle confidential information.
The Toreon approach
At Toreon, we follow the AAA (Triple A: Analyse, Advise, Activate) model in our approach to information security and to ISO 27001 implementation and certification.
Our GRC consultants first do a security assessment, based on ISO 27001. We perform workshops and interviews to figure out where you stand with regards to the different subjects in ISO 27001. This leads to a complete vision of the AS-IS situation and a great start for a dashboard that can be used for further follow-up in later phases. The outcome is made very visual in a spider web diagram.
From reviewing the AS-IS situation, we come up with a roadmap for the next few years. We advise you to focus on the subjects where security is most severely lacking or where investment will provide the best return. This roadmap can be used to direct the focus of management and IT, or to request the right budgets for security improvements.
Activation can mean different things. If ISO 27001 is used for reasons of long term improvements, our architects, application security experts, ethical hackers or Industrial security experts will get things moving in the right direction. We help you to setup and test your security, by implementing ‘security and privacy by design’ in a holistic information security approach. This approach makes sure that security isn’t an investment in paperwork, but a transformational force in your organisation.
If ISO 27001 adherence is needed for external (compliance) reasons, then certification is the way to go. Our Governance experts will guide the certification process, put all the right security controls and processes in place and provide you with all the documentation needed to get certified.
We will check our work with an internal audit and finally, guide the process of external auditing by an accredited independent party in order to get you that certificate!
Our team of GRC (Governance, Risk & Compliance) experts consists of people with mixed backgrounds in Legal, IT and Business. At Toreon, we provide the team that fits your needs and gets the job done!