More and more, SecureWorks is seeing government, financial services and many other industries require the third parties they work with to be ISO 27001 certified.
Given its global recognition and the requirements being a security standard that applies to all industries, certification can help organizations improve their security posture as well as make themselves more appealing to potential partners.
In this video, Hadi Hosn, Head of Security Strategy and GRC Consulting covers SecureWorks ISO 27001 Certification Methodology. This comprehensive methodology includes detailed phases such as:
- Defining certification scope
- Defining assets & scope
- Risk assessment
- Implementation and improvement
I’m going to talk you through the ISO 27001 Certification methodology that we have at SecureWorks. ISO 27001 is an industry standard for information security and it’s been around for a number of years and it helps organizations align to and certify to a standard that applies to any industry.
More and more we’re seeing government organizations and financial service originations require the third party’s they work with to be ISO 27001 Certified. We have a methodology to help those organizations through that certification lifecycle.
The first phase of the certification methodology is really defining the scope of that certification. Defining the scope is agreeing as a business where that certification will apply. Whether it’s a data center, an office in Germany, or the global offices of that organization.
That moves us onto actually defining the ISMS policy. The ISMS policy is a document that formalizes the scope of the ISO certification. It includes things like the roles and responsibilities. It includes things like accountability for security and includes the RACI matrix of what security is responsible for versus the business units. And that defines how the security organization is going to be structured across the company.
The next phase of that certification is around defining the assets and scope of certification. Now the assets can be information assets or physical assets. The information assets can be customer data. They can be financial data. Or they can be things like intellectual property. We need to define those and agree those are within the scope of certification. The physical assets include IT assets or it could be also physical offices and locations and of the data centers that we have.
Once the assets are defined we can then do a risk assessment. Now the risk assessment is possibly the most important part of the ISO certification process. This is where SecureWorks really adds value to the entire lifecycle.
The risk assessment consists of a threat assessment and a control assessment. When you talk about threat assessment this is where we identify what are the threats to those assets that we’ve identified. This could be information that we bring in from our counter threat intelligence unit to apply to that organization. That includes both internal and external threats to the organization and defines what they really need to worry about from a threat landscape perspective.
The control assessment, ISO provides a set of controls that organizations can pick from in order to certify to the standard. The control assessment, the expectation is that SecureWorks will help the organization identify which of those controls they need to comply with in order to address the risks that have been identified based on the asset priorities. So, SecureWorks will come in and help them identify those controls and assess that organization using questionnaires and using things around interviews with stakeholders to define where the gaps are. As an output from this risk assessment the organization will have a set of gaps and weaknesses that they need to improve on as an organization.
The next phase is really to implement and improve on security. Implementing those recommendations will have the ability to align to the ISO certification process. So implementation can be rolling out training and awareness, because as a part of the gap analysis we then define that the organization does not have training for their staff around security. Maybe even implement MSS, Managed Security Services, or develop policies. This is policies relating to the ISO certification. Now it could be information security polices, acceptable use policies, access management policies. Those different sets of security policies you would expect.
SecureWorks can help through that implementation to get them to a stage where they’re ready to go through the audits. Which is the actual certification audit. And that is the next step. Audit is really two phases. It’s either a stage one audit. Stage one is where the organization comes in and does a documentation review. Documentation review of the policies that we’ve developed and the different documentation that we developed across this lifecycle. They would go and take the ISMS policy, they would take the asset register, they’ll take the risk assessment and they’ll take the policies and they’ll review those to assure themselves that they are aligned to the ISO certification requirements. The stage two audit is more of a control audit. Control audit is when they actually go through the control assessment, identity where the gaps were and then identify how the organization has implemented controls to mitigate those gaps. And that is a technical audit to make sure the organization is aligned to the ISO certification standards.
This part. The audit part. SecureWorks does not provide the audits on behalf of the clients. We provide everything from here all the way to the audit. We have relationships with auditors and certification authorities. And we can introduce clients to those organization as when those are required. This process will then produce a certification and that certification assures the organizations that they are aligned to ISO 27001 and that are certified to 27001 and that is valid for three years.
Now this entire process can range from about six months to two years depending on your organization size and depending on the scope of your ISO certification. And that’s our methodology for ISO certification.