Certification of ISO/IEC 27001: 2013 (ISMS)

Information Security Management Systems (ISMS) compliant with ISO 27001 can be certified by Accredited Registrars (aka Certifying Bodies) worldwide. PMG is a partner of Accredited Registrar – PECB.

The ISO/IEC 27001 certification constitutes three-stage external audit process that is laid out by the requirements of ISO 17021 and ISO 27006

Stage 1: Is an informal review process of the ISMS, wherein the Auditor reviews important documents such as Information Security Policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP) and other mandatory documents. This stage is used by the auditor and the organization to get to know about each other.
Stage: This is the formal audit process wherein the auditor tests the various elements of the ISMS against the various provisions of ISO/IEC 27001 standard. Testing is based on evidence collected such as documents, interviews, questionnaire, technical review and/or mathematical artefacts. Auditors test implementation maturity and operational efficacy of the ISMS. Passing stage 2 leads to an organization being recommended for ISO/IEC 27001 Certification by the Registrar/Certification Body. Certification Audits are conducted by ISO/IEC 27001 Lead Auditors.
Qualitative Risk Analysis: By use of Delphi Techniques, Surveys, Focus Groups, Questionnaires, Interviews etc.
Ongoing: Certification maintenance requires that the organization conducts periodic re-assessment audits, at least once every year, to confirm that the ISMS continues to operate in compliance with the provisions of the ISO/IEC 27001 Standard.

Why does a company and / or organization need ISO/IEC 27001:2013 ISMS?

In most organizations, where they have not adopted ISMS or any other comprehensive information security management systems standard, security controls seems to have been adopted or implemented as a ‘point solution’ to meet certain specific security challenges. These solutions tend to be haphazard, disjointed, not-comprehensive and not-interconnected. Often times these solutions typically address IT systems or data security issues only and does not address security vulnerabilities within non-IT information assets (e.g.paper file racks) or physical security infrastructure. Issues connected to Business Continuity, Disaster Recovery Planning, HR etc, that do not have day-to-day security impacts seems to fall through the cracks when security is done without a proper framework.

ISO/IEC 27001:2013 requires that management:

Methodically evaluate the organization's information security risks, taking into account: threats, vulnerabilities, likely-hood that a threat will materialize and, once a threat materializes, the impact that incident may have on the organization
Adopt and implement a comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

It is important to point out that ISO/IEC 27001 covers more than just IT. The framework and the controls cover all aspects that are connected with security of information and information processing facilities.