ISO 27001 Certifcation

ISO 27001 Certification Consultancy Service

What is ISO 27001 : 2013 Information Security Management System

ISO 27001 is a systematic approach (Plan-Do-Check- Act) for managing companies’ information security to achieve business objectives. It is based on a risk assessment and the companies’ risk defined levels designed to effectively treat and manage risks.

Considering requirements for the protection of information assets and implementing suitable control measures to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS.

ISO 27001 information security management system can help your company to better manage your information assets and implement controls to help protect your companies’ information assets from an information security breach.

When implementing ISO 27001 ISMS, your company is required to establish documentation (policies, procedures, guidelines), and allocate associated resources and arrange activities for protecting its information assets.

Benefit of ISO 27001

  • Enhance corporate creditability through the recognition of the ISO 27001 Information Security Management System.
  • Demonstrate the validity of information and a real commitment to upholding information security.
  • Improve employee ethics and the notion of confidentiality throughout the workplace
  • Allow corporate to enforce information security and reduce the possible risk of fraud, information loss and disclosure

What is it for ?

  • Fulfilment of tendering and Pre-qualification requirement
  • Improvement of safety awareness of frontline
  • Enhancement of corporate image and safe workplace
  • Especially for service provider which handle a huge of  confidential information, Software developer

Looking for a helpful ISO 27001 Consultant?

Features

Saving Time & Money

No hidden cost. Completion within budget and timeframe.

Easy to follow

Straight forward & Simple ISO documentation. Minimum workload is required.

Precise Training

Precise briefings / trainings to client for quick glance

Flexible schedule

Arranging meeting schedule up to Client request

Testimonials

Client

Contact us

Frequent Asked Question

UKAS means the United Kingdom Accreditation Service. UKAS is the UK’s National Accreditation Body, responsible for determining, in the public interest, the technical competence and integrity of organisations such as those offering testing, calibration and certification services

ISO 27001 certification without UKAS accreditation may mean that your organisation have a risk to lose large contracts and business opportunities due to unrecognised ISO certification.

The Fees depend on company size, number of locations, business nature and operation complexity.
For Company (Staff < 20), it take 4 months on average.
For Company (Staff ~50), it take 6 months on average.
For Company (Staff ~100), it take 7-9 months on average.

You may take below steps :

1) ISO 27001 Gap Analysis.
2) Establishment of ISO 27001 Documentation.
3) Attend ISO 27001 Training.
4) Implementation of ISO 27001 System.
5) Arrange an Internal Audit
6) External ISO 27001 Audit by Certification Body

There are two major Fees.
1) ISO 27001 Certification Fee charged by Accredited Certification Body such as SGS, Lloyd’s Register,BV, BSI, British Assessment, NQA…
2) Consultant Fee charged by us.
The Fees depend on company size, number of locations, business nature and operation complexity

Yes. You can take a series of training courses, draft the documentation…. liaise with Certification Body if you have sufficient time and master the ISO 27001 requirements

No. Because of conflict of interest. Certification Body can provide ISO 27001 Standard generic training only but cannot tell you how to implement ISO 45001 System in your company.

Absolutely Yes. In general, ISO Consultant will draft documentation, guide your company to implement ISO 27001 system until passing in ISO 27001 Certification Audit.

In general, the company can put the ISO 27001 logo in the website, name card and letterhead after receipt of corresponding ISO 27001 Certificate

In general, penetrating test or vulnerability scanning may be considered. It depends on the company business nature. 

There are 14 domains of ISO 27001 Controls & Objectives

A.5.1 Information security policy

Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

A.6.1 Internal organization

Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

A.6.2 Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices.

A.7.1-7.3 Prior to, during and termination of employment/p>

Objective: To ensure that employees and contractors are aware of, fulfil and understand their responsibilities and are suitable for the roles for which they are considered.

To protect the organization’s interests as part of the process of changing or terminating employment.

A.8.1 Responsibility for assets

Objective: To identify organizational assets and define appropriate protection responsibilities. Information Classification

A.8.2 Information classification

Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

A.8.3 Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.9.1 Business requirements of access control

Objective: To limit access to information and information processing facilities.

A.9.2 User access management

Objective: To ensure authorized user access and to prevent unauthorized access to systems and ser- vices.

A.9.3 User responsibilities

Objective: To make users accountable for safeguarding their authentication information.

A.9.4 System and application access control

Objective: To prevent unauthorized access to systems and applications.

A.10.1 Cryptographic controls

Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authen- ticity and/or integrity of information.

A.11.1 Secure areas

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.11.2 Equipment

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.12.1 Operational procedures and responsibilities

Objective: To ensure correct and secure operations of information processing facilities.

A.12.2 Protection from malware

Objective: To ensure that information and information processing facilities are protected against malware

A.12.3 Backup

Objective: To protect against loss of data.

A.12.4 Logging and monitoring

Objective: To record events and generate evidence.

A.12.5 Control of operational software

Objective: To ensure the integrity of operational systems.

A.12.6 Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities.

A.12.7 Information systems audit considerations

Objective: To minimise the impact of audit activities on operational systems.

 

A.13.1 Network security management

Objective: To ensure the protection of information in networks and its supporting information pro- cessing facilities.

A.13.2 Information transfer

Objective: To maintain the security of information transferred within an organization and with any external entity.

A.14.1 Security requirements of information systems

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

A.14.3 Test data

Objective: To ensure the protection of data used for testing.

A.15.1 Information security in supplier relationships

Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.2 Supplier service delivery management

Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.16.1 Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

A.17.1 Information security continuity

Objective: Information security continuity shall be embedded in the organization’s business continu- ity management systems.

A.17.2 Redundancies

Objective: To ensure availability of information processing facilities.

A.18.1 Compliance with legal and contractual requirements

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to infor- mation security and of any security requirements.

A.18.2 Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

Scroll to Top