ISO 27001 Compliance Assessment

ISO 27001 is an information security framework that was published by the International Organization for Standardization (ISO).  ISO 27001 formally specifies an Information Security Management System (ISMS), which is a management framework through which the organization identifies, analyzes and addresses its information risks.   ISO 27001 includes 14 control groups that consist of 35 control objectives and 114 distinct controls.  The 14 control groups and number of controls in each group are as follows:

  • A.5: Information security policies (2 controls)
  • A.6: Organization of information security (7 controls)
  • A.7: Human resource security - 6 controls that are applied before, during, or after employment
  • A.8: Asset management (10 controls)
  • A.9: Access control (14 controls)
  • A.10: Cryptography (2 controls)
  • A.11: Physical and environmental security (15 controls)
  • A.12: Operations security (14 controls)
  • A.13: Communications security (7 controls)
  • A.14: System acquisition, development and maintenance (13 controls)
  • A.15: Supplier relationships (5 controls)
  • A.16: Information security incident management (7 controls)
  • A.17: Information security aspects of business continuity management (4 controls)
  • A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)

ISO 27001 Certification Process

The certification process is divided into two stages: The “Stage 1 Audit” and the “Stage 2 Audit”.   The “Stage 1 Audit” consists of documentation review.  During Stage 1, the ISO 27001 assessor reviews policies and procedures to ensure that appropriate policies and procedures are in place to meet requirements of the ISMS.  The “Stage 2 Audit” consists of the ISO 27001 auditor performing tests of effectiveness to ensure that controls have been implemented to meet the requirements of the ISMS. 

Additional ISO 27001 Certification Requirements

In addition to the Stage 1 and Stage 2 audits, the following must be performed in order to become ISO 27001 certified:

  • A periodic and independent internal audit of the ISMS against the requirements of the ISO 27001 standard.

Many organizations have trouble meeting the internal audit requirement do to the following reasons:

  • They do not have personnel that are truly independent. Those responsible for conducting the internal audit should not be auditing functions over which they have operational control or ownership.

To combat these issues, organizations are outsourcing the internal audit requirement to CPA firms, such as Schneider Downs, that possess the appropriate knowledge of internal audit and ISO 27001.

ISO 27001 Internal Audit Approach

We begin our assessment by working closely with you to understand your business processes in order to understand your ISO 27001 compliance scope.  We will work with and interview key individuals within the business and information technology services responsible for implementing the ISO 270001 controls to understand information security policies, procedures, and practices.  We will evaluate your compliance with all control requirements through review of documentation supporting the operating effectiveness of controls.  When our evaluation is complete, we will provide your organization with a detailed ISO 27001 compliance assessment report outlining corrective action plans with a detailed roadmap for achieving ISO 27001 compliance.

case studies

 
big problem:
Ransomware attack halted a global manufacturer's operations.
big thinking:
Recover and secure the system – fast – save $1 million in ransom.
 
big problem:
High tax burden for family-owned franchisor.
big thinking:
Comprehensive planning for a 15% tax reduction.

our thoughts on

Ransomware Still a Growing Problem for Organizations of All Sizes

While the concept of malware-based extortion has remained relatively unchanged since the first documented occurrence in 1989, attackers have spent the

read more >

Application to Receive Funding for On-Road and Class 8 Fleet Vehicle Projects in Pennsylvania Now Available!

As you know from our previous articles (Volkswagen Environmental Mitigation Trust Fund), Volkswagen is obligated to fund various environmental trusts for

read more >

Financial Fitness: Setting SMART Goals

This article was originally published in Wedgewood Life magazine and is reprinted with their permission. Happy New Year! As the calendar flips and a New

read more >

Good News Regarding Excess Business Losses For Your Pass-Through Construction Business

If you own a construction business, you know all too well that one or more bad contracts can make or break the financial results for the year. If you were

read more >

Financial Fitness - Are my personal finances on the right track?

This article was originally published in Wedgewood Life magazine and is reprinted with their permission. This is a frequently asked question by my clients

read more >

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102