The scope defines the information, systems and business operations that will be managed under the organisation’s Information Security Management System (ISMS) and will be certified to ISO 27001.
Defining the scope encourages focus on the most critical areas of your business and the risks faced, as well as informing the selection of appropriate controls to tackle these risks.
Our consultants can advise on the most appropriate scope for your organisation, which may significantly reduce the scale of your ISMS implementation, and the overall cost.
Gap Analysis – ISO 27001
Gap analysis involves comparing what you are currently doing against what you must do to meet the compliance requirements of ISO 27001. It highlights shortfalls in compliance and where efforts must be concentrated to meet the requirements of the standard.
Our expertise allows us to accurately assess your organisation’s current levels of compliance and provide pragmatic recommendations. Additionally, our consultants can perform a gap analysis more efficiently and effectively than internal staff, who are likely to hold other responsibilities and may not be as familiar with the intricacies of the standard.
Risk management is at the core of ISO 27001, so this phase identifies your important information and information processing assets, the assessment of security risks related to these assets, and the mechanisms through which these risks are controlled and monitored.
Our ISO 27001 consultants are recognised as risk management experts, allowing them to build risk management processes that both fit your organisation and meet the requirements of ISO 27001. Working in partnership with you, the team will combine their knowledge of effective risk assessment with your understanding of business operations to accurately assess organisational security risks.
Statement of Applicability (SoA)
The SoA is a fundamental part of your ISMS and is one of the mandatory documents required to achieve certification. It explains which of the information security controls (as specified in Annex A of ISO 27001) have been selected to tackle risk as well as which have been omitted and the reasoning.
Our team’s expertise and experience of ISMS implementation, coupled with your familiarity of the business, helps to ensure that your SoA meets appropriate standards to achieve certification. We can also undertake a gap analysis that compares the current state of these controls against what must be done to meet the compliance requirements of the standard.