Become Certified in the Best Practices in Information Security Management

Why ISO 27001?

In today’s world of relentless security attacks, merely claiming that your data is secure is not enough – you need to certify that your information security controls are in place and operating as intended.

If you’re a technology-based service provider that stores client information in the cloud (e.g. SaaS or other cloud service providers) your customers may have asked if you are ISO 27001 certified. Perhaps your organization is seeking to enhance your information security controls and wants to market it as a competitive advantage. Either way, ISO 27001 has become the most popular and internationally recognized standard for Information Security Management Systems (ISMS).

More often than not, organizations do not have the in-house expertise and/or bandwidth to manage an ISO 27001 implementation. Many companies find challenges in adopting the standard while remaining mindful of costs. Our team specializes in Information Technology Compliance Frameworks and Information Security Consulting. Our customized, flexible compliance model, combined with our team of experienced experts, guarantees a successful ISO 27001 implementation, certification, and continuous improvement. Our model is designed to provide practical and relevant guidance that not only meets your audit certification requirements; but will enhance your security posture and demonstrate confidence to your customers – without breaking the bank.

Our clients benefit from our Security Compliance-as-a-Service (SCaaS) model where we guide our clients through the entire ISO 27001 lifecycle as well as provide Virtual CISO Services – On Demand. Elevate has developed core packages that are customized to meet our client’s needs and are flexible to adapt to any business environment (from non-profits; to start-up technology firms; to Fortune 500). Our packages are designed to maximize client value by improving the control environment that mitigates cybersecurity threats; all while mapping the necessary improvement measures to the ISO 27001 standards.

How Elevate Can Help

Our SCaaS modules are designed to provide you a customized combination of ISO compliance services, at the right level of service, to meet your specific needs and maximize your investment.

ISO 27001 Risk Module

  • SMS Standards Configuration
  • ISO 27002 Risk Assessment+ Risk Treatment
  • ISMS Control Scope Definition
  • ISMS Internal Audit+ Annex A Controls
  • Security Impact and Objectives Analysis
  • External Vulnerability Scans
  • Internal Vulnerability Scans
  • Penetration Testing
  • Corrective-Action Plan

ISO 27001 Incident Module

  • Table-Top for Disaster Recovery Plan
  • Table-Top for Business Continuity Planning
  • Table-Top for Cyber Incident Response Plan

ISO 27001 Training Module

  • KnowBe4 Training Licenses and Maintenance
  • Phishing campaigns

ISO 27001 Governance Module

  • ISMS Documentation Management Policy
  • Creation and Maintenance
  • ISMS Statement of Applicability (SoA)
  • ISMS Charter Creation and Committee Structure
  • ISMS Manual Creation and Maintenance

ISO 27001 Reporting Module

  • Information Security Objectives and Metrics
  • ISO 27001 Information Security Assessment Report
  • Consolidated List of Findings

Our customized service and modular approach demystify and simplify your ISO 27001 compliance certification process. Working with our team of security and IT compliance control experts not only reduce your certification readiness process but also enhances your security posture and confidence presented to your customers.

Elevate offers an ISO 27001 readiness assessment to assist organizations in configuring their ISO standards against the Annex A controls while securing your environment.

The International Organization for Standardization (ISO) is a governing body that develops and publishes international standards covering almost all aspects of technology and manufacturing. ISO along with the International Electrotechnical Commission (IEC) has set the international standards on Information Security Management (ISMS) in the ISO/IEC 27000 series. Specifically, the guidance on the security techniques ‘ISO 27001’ and the code of practice for information security management ‘ISO 270002’ is commonly known as “ISO27001/2”. A number of regulating agencies, including the Data Protection Commissioner, have declared ISO 27001/2 to be a benchmark for prudent and competent practice.

It’s important to note that ISO/IEC does not issue certifications. Achieving an ISO certification requires the engagement of an independent accredited attestation firm (i.e. Certifying Body). In 2013, ISO and IEC revised the internationally recognized certifiable information security standard for Information Security Management Systems (ISMS): ISO/IEC 27001:2013.

At-a-glance, the ISO 27001/2 framework consists of two main components:

  • Mandatory Requirements: 28 specific controls that are broken into 7 overall components consisting of governance, risk assessment, internal audit, information security awareness, and continuous process improvement.
  • Annex A Controls (ISO 27001:2013): 114 controls are divided into 14 categories.

Like the other ISO management system standards, certification is completely voluntary. Some of our clients obtain certification to demonstrate and market their best practices, while others need to provide assurance to certain customers.

ISO 27001/2 can be implemented in any kind of organization, for-profit or non-profit, private or state-owned, small or large. It was written by the world’s best experts in the field of information security and provides a methodology for the implementation of information security management in an organization. Organizations that want to become ISO 27001 certified, must engage an independent certification body.

ISO does not provide certifications. However, a number of standards related to the certification process are provided by ISO’s Committee on Conformity Assessment (CASCO). Most independent certifying bodies use the CASCO standards to guide them through the certification process. Read more about CASCO Standards.

As with most compliance programs, the cost to achieve the first-year certification depends mostly on your scope. Organizations that have multiple physical locations and hundreds to thousands of employees tend to have highly complex environments with compounding IT security threats.

The average cost to obtaining ISO 27001/2 certification can range between a few thousand up to a few hundred thousand dollars depending on your scope, service activities, IT platform complexity, security, and compliance maturity as well as other factors.

The following is a shortlist of cost factors to consider when creating a budget for your ISO certification.

  • Scope: Depends on the complexity of your Information Security Management Systems (ISMS), activity type performed within your ISMS, varying degree of IT platform diversity, the number of sites (including disaster recovery sites), and the number of IT personnel (including outsourced functions) that are included in the scope. Make sure to map out your scope in your Statement of Applicability (number of Annex A controls that are applicable) using ISO 27006 to document your requirements.
  • Consultative Approach: There’s no shortage of options when it comes to hiring ISO 27001 advisory services. If you are able to receive a quote for your ISO services via an internet form or 10-minute phone call with a software sales guy that sells compliance by the click, you’re not talking to the right organization. Any serious security and compliance consulting firm will need to schedule an in-depth scoping call to understand your scope, your unique operating environment, and your compliance goals first before giving you a quote for readiness services.
  • Certification Audit by Certifying Body (CB): It is absolutely critical to make sure your certifying body is accredited by a recognized internationally accredited body that is a member of the International Accreditation Forum (IAF). The IAF website provides a full list of recognized accredited certifying bodies where you can search by country. The bottom line, if your CB is not on the IAF list, your certification may not be valid.
  • Surveillance Visits by Certifying Body (CB): Once you are ISO-27001 certified the certifying body must perform surveillance visits to determine if your ISMS is operating as intended. The surveillance visit focuses on areas that were out of scope during the audit. For example, a common area of interest during a visit is an inspection over incident response monitoring, measuring, reporting, and response plan. During the visit, the auditor will focus less on documentation and more on key operations. Failure to pass a surveillance visit may lead to failure in obtaining a re-certification. This is just another reason why we advise our clients to think through their ISMS strategy and not just merely meet a compliance requirement.

Based on our client experience, the following cost types are estimated based on a simple average scope complexity of either low, medium, or high. However, each client’s unique environment, scope, and current control environment is individually assessed to determine a more accurate cost estimate.

Cost Type

Low

Medium

High
Consultant Cost
  • $20,000 to $50,000
  • $35,000 to $75,000
  • TBD
Capital Expenditures
  • > $30,000
  • > $50,000
  • TBD
Certification Audit – CB
  • $10,000 to $20,000
  • $15,000 to $30,000
  • TBD
Surveillance Visits – CB
  • TBD
  • TBD
  • TBD

 

Note: A highly complex scope environment is difficult to estimate. In addition, the ongoing cost for maintenance to ensure successful surveillance visits are difficult to estimate as it all depends on the quality of consulting services provided as well as the capacity of management’s ability to manage the ongoing process.

Building a strategy for your Information Security Management System (ISMS) framework selection should consider your industry, compliance, and scope requirements. Proper scope determination and framework selection are crucial to successfully obtain your ISO 27001 certification and maintaining your certification during your surveillance visits. For example, if you’re a technology service provider that processes insurance claims for federal agencies, you may need to leverage NIST 800-53, HITRUST CSF, ISO-27001 as well as other compliance frameworks (e.g. HIPAA). Your ISMS scope must be broad enough to satisfy multiple stakeholders (i.e. internal departments, clients, regulatory bodies, etc.) yet specific enough to meet your ISO 27001 requirements. Also, keep in mind, every three years, you need to go through a recertification process that includes a surveillance visit by your certifying body. With that said, the ISO 27001/2 certification requirements consist of the following:

  • Mandatory Requirements 28 specific controls that are broken into 7 overall categories including governance, risk assessment, internal audit, information security awareness, and continuous process improvement.
  • Annex A Controls: (ISO 27001:2013) 114 controls, divided into 14 categories.

The latest revision of the ISO 27001 standard was published in 2013, ISO/IEC 27001:2013. The original ISO/IEC 27001 was adopted by the British standard BS 7799-2 which introduced the Plan-Do-Check-Act (PDCA) that contains 114 controls, divided under 14 chapters – which is under consideration to be restructured under ISO 27002:2021

  • In 2018, ISO 27000:2018 was updated to provide an ISMS overview as well as commonly used ISM terms and definitions. This document applies to all ISMS family standards.
  • In 2019, ISO 27701:2019 extended ISO 27001 that specifies standards for Privacy Information Management System (PIMS). This framework provides organizations a system to support compliance with the EU’s GDPR, California’s CCPA, and other data privacy requirements.
  • By the end of 2021, ISO 27002:2021 is expected to be published. It is also expected that the ISO 27001:2013 will also be updated shortly after.

At-a-glance, the ISO 27002:2021 will contain 93 controls divided over four chapters:

  • Chapter 5 Organization (37 controls)
  • Chapter 6 People (8 controls)
  • Chapter 7 Physical (14 controls)
  • Chapter 8 Technological (34 controls)

Each control will be tagged with:

  • Control type (preventive, detective, corrective)
  • Classification (confidentiality, integrity, availability)
  • NIST concept (identify, protect, detect, respond, recover)
  • Operational capabilities (governance, asset management, physical security, etc.)

The biggest challenge our clients face in obtaining ISO 27001 certification is the ability to fully understanding the scope of their Information Security Management Systems (ISMS) and selecting a narrow scope solely focused on obtaining the initial ISO-27001 certification. Every three (3) years, ISO 27001 certification requires a recertification process. For example, if your initial certification is obtained in November 2021, your certification is valid till November 2024.

Your certifying body guarantees that your ISMS is valid for a three-year period. In order to validate that guarantee, your certifying body must conduct periodic surveillance visits. Surveillance visits are typically conducted on an annual basis. Depending on your certifying body, they could visit bi-annually.

The purpose of the surveillance visit is to validate your ISMS is operating as intended. The auditors will check to see if the processes are working as described in the documentation. This is why selecting the proper framework and controls and making sure they will perform as intended in your environment before you begin your certification process, is critical to keeping your certification.

At our core, we are ‘Information Technology Experts’ and ‘Cybersecurity Advisors’.

Contact Us
Contact Us