ISO / IEC 27001 Readiness Services
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have established the ISO / IEC 27001 standard (commonly referenced as ISO 27001) to assist organizations in securing their information assets. More than 33,000 organizations have adopted this standard to manage the security of financial data, intellectual property, employee data, payroll data, and information entrusted to them by third parties.
An update to ISO 27001 was published on October 25, 2022, with the new 27001:2022 standard updating the previous 27001:2013 version. Organizations must transition to the 27001:2022 standard by October 31, 2025. (Certificates for 27001:2013 expired on October 25, 2023.)
An important supplement to ISO 27001 is a reference set of information security controls and implementation guidance known as ISO 27002. Version 27002:2013 was also updated to 27002:2022.
The ISO 27001 standard provides detailed, customizable guidance to help organizations create, implement, maintain, and continuously improve their information security management systems (ISMS). It is often adopted to aid compliance with HIPAA and other regulations, including the GDPR.
Preparing for ISO 27001 certification or renewal
Organizations who adopt the ISO 27001 standard are certified to that effect, with certification required to be renewed every three years. Our services include preparing clients to (1) obtain initial certification, (2) continuously improve their systems, and (3) renew their certification. We assess against the 27001 controls, review policies and procedures, evaluate IT controls, and analyze how the ISMS has been established, for example.
Among our ISO 27001:2022 readiness services are:
- Gap Assessment between your current state and ISO 27001 controls
- Security Risk Assessment (based on ISO 27001 or NIST CSF)
- Improvements to your overall information security program as well as to your Information Security Management System (ISMS) as needed
- Review of existing policies and procedures, and creation of new policies and procedures as required
- Review of existing IT controls and practices, and creation of new IT controls as required
- Detailed report with findings, feedback, and recommendations.