ISO 27002 Compliance Assessments

Contact Us Today






Overview

ISO 27002 is an information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS).

The ISO 27002 standard includes the following eleven main sections:

  • Security policy
  • Organization of information security
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development and maintenance
  • Information security incident management
  • Business continuity management
  • Compliance

Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. SSAE 16 Professionals provides scoping guidance when identifying which controls our clients should implement.

Project Scoping

Our professionals will work closely with your management team to determine which sections of the ISO 27002 standard apply to your business’ operations. Through interviews with key management and IT personnel, we can identify the controls that need to be in place to meet the ISO 27002 standard. Once the scope of the project has been determined, we begin the ISO 27002 Readiness Assessment.

ISO 27002 Readiness Assessment

A Readiness Assessment is a proactive approach to ensuring your security program will meet the ISO 27002 standard. Entities that are required to undergo an ISO 27001 compliance assessment typically first undergo an ISO 27002 readiness assessment. When developing an information security program, many clients often find the first year is the most difficult. Not only do they have to comply with the new standard, but they need to build out their documentation and processes to comply with the standard. This is where our professionals step in. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform walkthroughs. We work side-by-side with your management team and IT personnel to perform walkthroughs to verify essential security controls, programs and metrics are in place and designed effectively in accordance with the ISO 27002 standard. Once walkthroughs have been completed, we prepare a detailed report and gap analysis which will identify which controls will pass and which controls will fail. For each failed control, we will provide remediation assistance.

Remediation Assistance

Once the Readiness Assessment has been completed, we will provide a detailed gap matrix which includes specific remediation steps the client must perform to pass each control. In cases where documentation is required, we assist in developing policies and procedures. Once controls have been remediated, our team will test the control to ensure it will pass. This second phase of testing is performed at no additional cost to our clients. Our vast experience in this area will create efficiencies in the remediation process, saving your company time and money.

ISO 27002 Testing

For clients who do not require a Readiness Assessment, we can begin the ISO 27002 testing immediately. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform our test procedures. This detailed document request list is sent well in advance of onsite fieldwork, saving your personnel time and creating efficiencies in the process. Once onsite, we work side-by-side with your management team and IT personnel and walk through each control requirement. Since our professionals are very experienced in ISO 27002 testing, we are able to minimize disruptions to your business operations while testing is being performed. Our testing procedures will include a mix of interviews, observations and sampling. Once test results have been compiled, we will share the results with management. We will assist management when drafting responses to any gaps which were identified during testing and draft a report for management's review.

ISO 27002 Compliance Reporting

We will tailor the final report to suit the needs of its intended audience. If your company intends to use the report for internal purposes, we will conduct a consulting engagement and collaborate with management to determine the best reporting format for your particular needs. If the primary purpose of the report is to present the findings to external parties, we will perform an agreed upon procedures engagement and draft the report to comply with the standard reporting format.

Resources

SSAE 16 Professionals has assembled top tier leadership to help our clients through the ISO 27002 Compliance Assessment process. For further information regarding ISO 27002 Compliance, or to request a fee proposal from SSAE 16 Professionals, please visit our Contact Us page to submit an informational form or call 1-866-480-9485 today. We look forward to hearing from you!