ISO 27001 - Information Security Management

ISO 27001 consultant support

As ISO 27001 consultants, we have helped businesses in London, Kent, Sussex, Surrey, Essex and beyond to achieve ISO 27001 certification. Whether in person or through remote consultancy, our experienced consultants will help you implement a valuable ISO management system which is tailored to your business.

We see ourselves as your partners, working together to strengthen your information security. We have 3 principles we stand by when helping you to implement an ISO 27001 Management System:

 

We will remove the stress & confusion from the process

We will help you to engage people at every level of your business

No bureaucracy - no documents for the sake of it - only tailored security solutions

 

Free 1-hour consultation

Undertaking ISO 27001 is both a financial and resource commitment. We are pleased to offer a free 1-hour consultation session to help you understand how far you may currently be from achieving certification, the typical timescales for certification and the internal resources you will need to make available for the project. Please call on 020 3018 0026 or submit a request here to book a session.

 

1 day gap analysis

If you are looking to determine where your business currently stands with regards to meeting the ISO 27001 requirements, we provide a 1 day GAP analysis session. During this session we will take each of the core requirements of the standard, assess your level of compliance and produce a report that outlines your areas of strength, weakness and actions that need to be taken. Please call on 020 3018 0026 or submit a request here to book a GAP analysis.

 


 

Your business is unique - your management system needs to be unique too

We believe there is no place for a cookie cutter approach to ISO 27001 - trying to apply an off-the-shelf package of policies and procedures will quickly leave you feeling burdened by paperwork that has no measurable benefit.

Instead, we ensure that our ISO 27001 consultants have significant industry and ISO experience so we are able to apply our accumulated knowledge in a way that is aligned to your business. Although this will take a little bit more consultation work than an off-the-shelf solution, the benefits are real. To ensure that time is spent on activities that really bring value, we have a significant library of tools and documentation that we tailor to the unique requirements of your business.

 


 

Features of our implementation

We start every implementation by learning about your business, its infrastructure, your aims for certification and your key perceived risks. This allows us to focus on the areas that will bring you most benefit.

We then arrange a series of calls and in-person visits, covering the requirements in the ISO 27001 standard. An optimised implementation involves 2SB consultants introducing three to four ISO 27001 aspects during each session, discussing them with you to tailor their exact application, and once you feel confident, leaving you to make progress.

In each subsequent session the work that you have completed will be reviewed together with the consultant, to ensure the approach is working and that the requirements of the ISO 27001 standard are met. For more information about the ISO 27001 standard and how the certification process works, see our detailed guide.

 


 

Using technology

At 2SB we embrace technology, but recognise that each business has a different level of adoption.

We can just as equally use a digital project management tool as a traditional action list to guide the ISO 27001 implementation - we will work in the way that most suits you.

There are an ever increasing number of great software solutions available for managing every aspect of a business, from the onboarding of new employees, to creating digital learning platforms for staff training - we can make suggestions for how these may complement your business and streamline internal processes. We have found the best implementations use the productivity applications you already have in place with Airtable, Monday, Google Sheets, Trello, Confluence, Jira and other applications, all used effectively. The key is to integrate ISO 27001 into your working practices so it is fully embraced and isn't dusted off once a year before the auditor arrives.

For remote sessions we utilise a range of video conferencing software, having the capability to adopt your organisational preference.

 


 

Always available to support you

We are on hand whenever you have a question and believe in being generous with our time since we are as genuinely committed to your management system as you are. Reach out to us today and we can help you define your strategy to implementing a UKAS accredited ISO certified management system.

ISO 27001 in startups

An increasing number of startups and growth stage technology businesses are being required to have ISO 27001 in order to demonstrate their information security credentials to corporate clients.

Our ISO 27001 consultants have significant experience working with startups and will implement an effective information security management systems that fits with the culture of your business.

One of the common concerns of scaling businesses is that the implementation will place a significant workload on critical internal resources. Although a properly implemented ISO 27001 management system requires the dedication of a business, the process does not need to be burdensome.

We utilise the productivity tools you already have in your business to structure the implementation and deliver on many of the requirements of the standard. We have the full range of policies and procedures that you will require for the implementation, and will help you to tailor these.

There is no better time to implement an ISO 27001 management system then before the growth stage, as smaller teams accelerate implementation timeframes. The startups that we have worked with report a range of benefits including; the clarity brought by creating a more comprehensive visualisation of network infrastructure; solid and repeatable onboarding processes; better administration of access to software, applications and servers; and confidence that the correct contracts are in place with critical suppliers, customers and contractors.

Everything worthwhile requires dedication, however we will help you to streamline the implementation process and maybe even enjoy it a little...

Trust

  • We are a 'safe pair of hands' and will get you certification
  • We mindfully engage team members at every level

Alignment

  • No bureaucracy, only useful processes and documentation
  • An implementation that will address your key business risks

Value

  • Help to capture your previously undocumented organisational knowledge
  • Achieve certification quicker with less drain on internal resource

Steps to certification...

Consultation – initial fact finding conversation in person or on the phone to understand more about your business

Proposal – when we understand what your needs are, we will produce a proposal that outlines the support required

Implementation – we will work with you over a series of onsite and offsite days to prepare you for an external audit

External audit – we can support you through the external audit to give you confidence in gaining certification

Ongoing support – we assist with annual audits and certification visits to ensure you retain your certification

Information security helps a healthcare business protect its data

Case Study view all

Meet a Consultant view all

Jon Passmore
Management Systems Consultant & Director
Jon Passmore

Frequently asked question view all

What is ISO 27001:2022 and how does it impact you?


ISO 27001 is a specification for an ISMS – an Information Security Management System. An ISMS is a set of policies, procedures, processes and systems that manage information security risks, such as cyber attacks, hacks, data leaks or theft. The ISO 27001 standard provides requirements for establishing, implementing, maintaining and continually improving an ISMS.

With ISO 27001:2013 being nearly a decade old, the new version ISO 27001:2022 is much needed. The technology and threat landscape has shifted significantly, with trends such as the move to cloud computing and heavy adoption of third party applications, which is underrepresented in the 2013 version of the standard. The changes in the update are a positive step for keeping the most up to date controls in place to protect your organisation. 

The release of the new version of the standard will create considerations for those looking to implement an ISO 27001 system for the first time, as well as those who are already certified to ISO 27001:2013.

New to ISO 27001?

For those companies looking to implement ISO 27001 for the first time, we have entered into a short period where the decision about which standard to implement is up in the air. 

Certification bodies will require a number of months after the anticipated October 2022 release to be accredited by UKAS to certify against the new standard. Most certification bodies are not completely sure when they will be able to audit against the new standard, however April 2023 has been stated as the target by several certification bodies. 

This means that if you are an organisation looking to certify before February 2023, you would be best certifying to ISO 27001:2013 and then transitioning at your first or second annual audit. If you have started to, or are about to undertake an implementation but don’t expect to certify until around April 2023, it will likely be best to implement the new version of the standard (ISO 27001:2022).

What do you do if you have an existing ISO 27001 system?

If you are already certified to ISO 27001:2013 you will need to transition to the new version of the standard within 3 years of its initial release (roughly October 2025). This gives plenty of time to alter your system to meet the new requirements. 

We recommend transitioning (i.e. being assessed against the new standard) at one of your regular annual audits. Depending on a number of factors, the transition is likely to add a day or two to the length of your regular audit.

What are the differences between ISO 27001:2013 and ISO 27001:2022?

Clause 4-10 of ISO 27001 already aligns with the other main ISO standards and so it would be surprising if any game changing requirements are added here. 

We instead anticipate that the main differences between the standards will be held in Annex A of the ISO 27001 standard - the long list of 114 security controls. This is also represented in your “Statement of Applicability” if you are already certified to ISO 27001:2013.

In Annex A of ISO 27001:2013, the 114 controls were spread across 14 categories. These will be modified with the new standard, which will instead have 93 controls across 4 domains.

11 controls are completely new and others have been modified or merged. (A proportion of controls remain unchanged in substance from the old version). To give a flavour of some of the updated requirements, these include:
•    Threat intelligence
•    Information security for use of cloud services
•    ICT readiness for business continuity
•    Physical security monitoring
•    Configuration management
•    Information deletion
•    Data masking
•    Data leakage prevention
•    Monitoring activities
•    Web filtering
•    Secure coding

What next?

Deciding when and how to transition or which standard to implement will take some consideration.

Email us at info@2sb.co.uk to discuss your path to becoming certified against the new ISO 27001:2022 standard.
 

Contact an ISO Consultant