ISMS Consulting Services
Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.
An ISMS includes both cyber and information security controls. Using the ISO/IEC 27001 standard allows for easy implementation in which it complements a company’s existing ISO 9001 or AS9100 Quality Management System. This allows for combined management review, corrective actions, and control of documented information (among others).
Most ISMS systems end up incorporating not only NIST 800-171 requirements which are based on the 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting but other US Government and Commercial requirements. This is why the planning stage for implementing an ISMS is very critical, need to incorporate what is required today and tomorrow in a system that supports change. A good ISMS implementation will always be adjusting, adapting and improving in order to mitigate risk.
Our consultants will work collaboratively with you throughout the entire certification process, from ISMS Scope through on-site Certification Audit Support or with a third-party Certificate of Attestation. Our Consulting Experts can provide a variety of ongoing support services to successfully certified clients, often participating in Information Security Risk Assessments and conducting ISMS Audits to support and help maintain the certification or attestation status.
Our Consulting Services Include:
- Strategy and Framework Selection – The optimal approach to ISMS development must consider the industry, relevant regulatory compliance, and attestation requirements.
- Scope Determination & Optimization – The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.
- Risk Assessment – ISO 27005 has an advantage over many other Risk Assessment standards in that it is well suited to a non-asset based approach. This “information and the processes that act on it” approach yields a much more intuitive process that drives far greater value, in less time.
- Risk Treatment Plan Development – The risk treatment plan defines the ISO 27002 controls that are required including the necessary extent to treat (mitigate) risk to a level that is deemed acceptable by management. It is a fundamental ISMS artifact and forms the basis/standard for the gap assessment.
- Gap Assessment – Defining the gap between the current and desired state of the ISMS (ISO 27001) is a key input into a “Prioritized Road Map” (Gap Remediation Plan).
- Security Controls Gap Assessment – Review of the gap between the current and desired state of the control practices is a priority input into a Gap Remediation Plan. ISO 27002 Gap Assessments are widely used outside of ISO 27001 certification efforts as a “best security practices” gap assessment and can also be used to serve as a form of design/operational attestation.
- Prioritized Road Map Definition – The road map defines all of the the activities, the approach and all responsibilities necessary to address identified gaps with consideration of the schedule required to achieve project objectives, including certification.
- Gap Remediation Facilitation/Support – Ideally, gap remediation will be largely accomplished by the internal team. Or, third-party services can be applied as required.
- Security Metrics – Security metrics are critical to the optimal operation of an ISMS, as they are integral to demonstrating the continuous improvement principles that are inherent in most company’s successful ISMS.
- Policy, Standards, & Procedure (subject matter) Support – ISMS Consulting SME (Subject Matter Expert) services include coaching, mentoring, structure, version control, procedure preparation and training.
- Ongoing Risk Management Team Membership – A company may realize the benefit of having the ISMS SME participate as a member of the Risk Management Committee to ensure the ongoing effectiveness of the Risk Management function. This is critical to the ongoing effectiveness of the ISMS. Many organizations favor the inclusion of an independent and objective third party with cross organizational/industry expertise to optimize the operation of the Risk Management Committee.
- Response Incident Support – Our ISMS Consulting SMEs can help you implement procedures and other controls capable of enabling the timely detection of, and response to, incidents is essential to an ISMS and the principles of continuous improvement.
- Internal Audit – Internal Audit Training or Internal Auditing Service (1st Party) to ensure ISMS conformance to:
- The requirements of ISO-27001 and relevant regulations or laws;
- Identified information security requirements;
- The ISMS is effectively implemented and maintained; and perform as expected.
- Certification Audit Support – Many organizations believe that having a CVG Strategy Exemplar Global Certified ISO 27001:2013 Lead Auditor on-site during one or both of the certification audit phases simplifies the process and reduces the risk that a non-conformance may be cited.
Unless your company offers cloud data storage as a product or is contractually required to be certified, a Certificate of Attestation is usually adequate. This is attained by having your ISMS Audited by an independent outside party holding a current ISO 27001 Lead Auditor Certificate. The Certificate of Attestation would use the same methodology as a first year complete audit, surveillance audits for year two and three then repeating a complete audit scope. The audit usually would include Penetration Test Sequence performed by a separate outside party.
CVG Strategy Can Help DoD Contractors with CMMC
CVG Strategy can help businesses in the DoD supply chain meet CMMC and interim requirements.