ISO27001 is a global security framework developed by the International Organization for Standardization. It is beneficial if your organization adopts other ISO frameworks or does business globally. While we don’t perform “full ISO audits” (i.e., validations), our team has tremendous experience performing ISO27001 gap & risk assessment engagements. We can help you prepare for your formal ISO27001 audit or help you implement a security program designed around ISO if you don’t need or intend to undergo an actual ISO certification.
The ISO27001, and its current ISO27001:2022 version, have seven clauses (numbered 4-10) and four themes; we’ll incorporate each into the assessment:
Clauses:
Clause 4: Context of the organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement
Themes:
People
Organizational
Technological
Physical
ISO27001 Controls
93 security controls are part of the four themes.
-
People – 8 controls. A handful of the critical controls are security awareness training, remote working, and screening
-
Organizational – 37 controls, such as policies, management responsibilities, threat intel, data classification, inventories, and access control
-
Technological – 34 controls, including authentication, management of vulnerabilities, malware protection, logging, monitoring, and testing
-
Physical – 14 controls, such as physical security, media storage, and equipment maintenance
An external vulnerability scan for PCI purposes, PCI Approved Scanning Vendor services allow your organization to meet any PCI compliance obligations for scanning.
► External, internal and dark web vulnerability scans
► Access to complete the PCI Self-Assessment Questionnaire (SAQ)
► Secure web portal with compliance documentation and seals
