Ready. Set. ISO!
We’ve seen a significant increase in the number of security assessments our clients are receiving from their own clients. Whether they’re large corporates or small independent companies, vendor due diligence is becoming a priority for many companies (as it should be). The focus of these assessments often gravitates towards security, and if you haven’t got a lot of controls in place, these assessments can be incredibly burdensome.
For the more medium-size company, it starts becoming pertinent to align to a particular standard, of which there are many to choose from, each with their own merits and focus areas. One such standard that is very widely recognised, is ISO 27001.
Why ISO27001
ISO 27001 is a widely recognised standard which helps businesses establish, implement, maintain, and continually improve their information security practices. Embarking on a journey to ISO 27001 compliance shows a commitment to enhanced security, competitive advantages through trust, regulatory & industry compliance, mature risk management practices, and upholding security as an ongoing priority for the organization.
One of the key benefits of ISO is that you are able to be audited and provided with a certificate proving your compliance to it. The trick is, you need to be ready for this audit!
ISO 27001 contains a wide bank of controls (safeguards) that you can implement within your company to ensure that security is taken care of, effectively implementing an ISMS, or Information Security Management System. These controls are broadly defined into four categories:
Organizational Controls;
People Controls;
Physical Controls; and
Technological Controls
Organizational controls are the definition of what you expect from your staff and how your infrastructure is used. It relates to drafting and implementing the correct policies to secure your business.
People controls speak to the individuals using your infrastructure, such as providing training, skills development, and experiences in order to work in a secure way.
Physical controls are the controls that secure buildings and equipment, such as alarm systems, biometrics, camera systems and so forth.
Technological controls are where cybersecurity comes in, looking at backups, firewalls, intrusion detection and many others.
How does Bamboo help?
As a niche consultancy that serves the intersection of the privacy and security markets, Bamboo prides itself in nurturing skilled professionals from legal, technology, security, and privacy backgrounds.
Because of this knowledge culture, Bamboo is uniquely positioned to offer guidance on both the technical nature of controls to be implemented within your environment, as well as the governance aspects of a mature program that satisfies regulatory compliance requirements.
Simply put, we take the complexity out of compliance and help you implement your requirements in a practical and sustainable way, helping you get to the point where you’re ready to invite the independent auditors in!
Our approach works on four pillars:
Assessment – We will conduct a comprehensive assessment of your current security posture and the business as a whole. This assessment will help us identify any gaps in your security controls and policies when it comes to alignment with the ISO 27001 standard.
Confirmation of Scope – Once we have assessed the business, we will work out the scope of your ISO 27001 project and what components of the business it applies to (the Statement of Applicability). This allows us to more accurately build an estimate for phases 2 and 3, and assess which controls need to be implemented for your particular roadmap.
Implementation – Following the roadmap and implementation plan, Bamboo will assist your internal teams in executing the agreed upon controls, documentation requirements, and evidence gathering for your readiness assessment.
Audit Support – After implementation, Bamboo will work hand-in-hand with you to prepare you for your audit for certification. We’ll assist with any queries and help your management team build confidence in responding to findings and follow-up queries.
So, if you’re a medium size business that wants to up your game in security, and you’re looking for a partner to help you get yourself compliant, give us a shout today!