ISO 27001 Project for a Financial Entity
Let’s first define an Information Security Management System (ISMS)
Information Security Management system (ISMS) is an approach involving process, technology and people that help protect and handle an organization’s information for effective risk management. ISO 27001 is an internationally accepted best practice framework. ISO 27001 standard implementation intends to secure three aspects of information security- confidentiality, integrity, and availability.
Here, confidentiality means not to disclose information to unauthorized people, entities, or processes. Integrity means that the information you share, or handle is free from all forms of corruption. And availability points to information getting accessible and functional for the needs of authorized or legitimate users.
What other advantages does an organization hold with a solid ISMS? More than just compliance, an ISMS helps protect your information regardless of the type or storage platforms. Also, it improves your attack resilience with a centralized framework and significantly reduces costs rounding on information security.
So, here we unfold a case study detailing the particulars of an ISO 27001 engagement process conducted by ValueMentor for a financial entity.
Client in search of ISO 27001 Engagement
The client is a well-known payment solution company with global expansion and coverage in the gulf regions. With an existing ISMS framework in the background, the client was looking to enhance it with the best information security practices, by aligning to the ISO 27001 standard.
Client Requirements
The client requisite for ISO 27001 engagement was to: –
- Upgrade current ISMS practices and obtain an ISMS certification
- Improve the overall existing ISMS structure and its information security posture
- Meet ISO compliance requirements specified by regulatory authorities
Activities Performed
ValueMentor Team performed the following activities in line with the ISO 27001 standard requirements: –
- ISMS gap assessment
- Discovery of applicable ISO 27001 controls
- Identification of probable risks
- Development of mitigation plan
- Remediation assists
- ISMS internal audit
- External audit support
Challenges
- One challenge during the engagement was that physical reach-out was not a feasible option due to the ongoing regulations of the pandemic. However, we remotely delivered the process with maximum security optimization.
- Another challenge that stood in the way was to identify and summarise those security issues bound to distinct business goals. The challenge got addressed by our security experts and subject matter specialists having deep knowledge of aligning business goals with security practices.
- Proper communication and understanding, is one substantial factor in ISO 27001 project. Lack of acceptance and learning can induce challenges and adversely impact the project. ValueMentor consultants, through their in-depth expertise, were able to handhold and guide the client in all aspects towards enhancing their information security and in integration of the security controls to their business-as-usual process.
Strategy
We deployed a dedicated one-team team strategy involving the delivery manager, project manager, an internal audit person, and the specialist consultant crew for ISO 27001 implementation.
We helped the client identify the gaps in their existing IT policies, procedures and processes and prepared an action roadmap for quick mitigation and improvement of ISMS.
The internal audit got delegated to a separate audit team independent of the assessment crew. Also, follow-ups were handled by a dedicated team in the background to better utilize time and efficiency to the fullest.
Process
ValueMentor ISO 27001 engagement process involved: –
- Scoping analysis and discussions
- Identified existing controls
- ISMS gap identification
- Risk identification based on the criticality
- Development of ISMS policies & procedures
- Development of risk remediation roadmap
- Remediation assistance or support
- Performed ISMS internal audit
- ISO external audit support
Results
At the end of the engagement, all client requirements got achieved within the estimated timeline, which includes: –
- Upgraded ISMS practices, policies, and procedures
- Met ISO 27001 compliance requirements
- Client awarded with an ISMS Certification
- Improved information security posture
- A proven way for more technology integrations
Final Thoughts
ISO 27001 plays a significant role in establishing an effective Information Security Management System and helps enhance an organization’s overall information security posture. The deployed ISMS policies, procedures and controls help protect an organization’s information assets at their peak and prime level. Although many organizations are concerned about the affordability factor of an ISO 27001 certification project, it can remarkably reduce your security premium in the long run.