The Pathway to Information Security Management and Certification
Information security is a complex area to handle well. The possible risks to information assets and reputation, including computer systems and countless filing cabinets full of valuable proprietary information, are difficult to determine and bring under control. Plus, this needs to be done in ways that don't unduly interfere with the legitimate use of information by authorized users.
The most practical and cost-effective way to handle information security and governance obligations, and to be seen to be doing so, is to adopt an Information Security Management System (ISMS) that complies with the international standard such as SOC-2 or ISO 27001. An ISMS is a framework of policies, processes and controls used to manage information security in a structured, systematic manner.
Why implement an ISMS and pursue an Information Security Certification?
- Improve policies and procedures by addressing critical security related processes and controls
- Minimizes the actual and perceived impact of data breaches
- Objective verification that there are controls on the security risks related to Information Assets
At a high level, the ISMS will help minimize the costs of security incidents and enhance your brand. In more detail, the ISMS will be used to:
- systematically assess the organization's information risks in order to establish and prioritize its security requirements, primarily in terms of the need to protect the confidentiality, integrity and availability of information
- design a suite of security controls, both technical and non-technical in nature, to address any risks deemed unacceptable by management
- ensure that security controls satisfy compliance obligations under applicable laws, regulations and contracts (such as privacy laws, PCI and HIPAA)
- operate, manage and maintain the security controls
- monitor and continuously improve the protection of valuable information assets, for example updating the controls when the risks change (e.g. responding to novel hacker attacks or frauds, ideally in advance thereby preventing us from suffering actual incidents!).
Information Security Focus Areas
- What is the proper scope for the organization?
- What are applicable areas and controls?
- Are the proper policies & procedures documented?
- Is the organization living these values?
What are the Outcomes
- Improved InfoSec policies and procedures
- Confirmation of the implementation of Incident and Risk Management
- Completion of Asset and Risk register
- Implementation of an Information Security Management System (ISMS) for your scope
- Prepared for independent certification auditor
- Gain trust from customers and partners.
Information Security Certification Preparation Project
Key Project Activities
- Define Certification Scope
- Perform Gap Assessment against the relevant standard (SOC-2, ISO 27001)
- Identify Documentation Requirements
- Identify Evidence Requirements
- Develop New Documents required for certification
- Perform Impact Assessment
- Maintain Data Flow diagrams
- Maintain Risk Register
- Prepare for Pre-Certification Audit
- Remediate findings from Pre-Cert Audit
- Prepare for Stage 1 and Stage 2
- Obtain Standards Body Certification or audited Report
FP Complete has extensive experience in the preparation of SOC-2 and ISO 270001 certifications, as well as many other security certifications. Contact us if we can help your organization.
Do you like this blog post and need help with DevOps, Rust or functional programming? Contact us.