Overview

We provide comprehensive consulting support to help you achieve ISO 27001 2022 certification.
With over 500 customers across the world in multiple sectors, we have one of the most comprehensive ISO 27001 consulting offerings. Implementing and achieving ISO 27001 certification requirements will reduce the risk of breaches, enhance customer confidence, and bolster overall security.
Our team of seasoned consultants will guide you through the entire process, offering expert advice at every juncture. Our ISO 27001 certification consulting services will significantly enhance your security measures and guarantee a seamless ISO 27001 certification. Please call or contact us to get started.

Start Your ISO 27001 Journey Now!

ISMS – ISO 27001 Consulting Engagement Phases

Here is a brief overview of al the phases involves in implementing ISMS-ISO 27001 certification.

Phase I - Understanding Business and Security Objectives

Every client is unique with its business model, customers, and information security requirements
The ISMS-ISO 27001 implementation journey starts with this phase where we determine and document the clients’ business requirements for Information Security management system (ISMS).
This is where ISMS context, requirements of internal and external parties, and scope are determined and documented.

Phase II - Gap Analysis and Risk Assessment

Based on the outcome of phase I, a combination of approaches is applied by Coral ISMS ISO 27001 consultants to conduct the gap analysis.
A session with each organization team to asses their current scope of work and their controls are determined.
A Penetration test against their applications and network reveals their current state of security vulnerabilities.
A threat model approach is applied to determine their systems and their current process gaps.
With more and more organizations choosing a combination of on-prem and cloud infrastructure, an assessment may involve a set of controls and their effectiveness across both environments.
ISO 27001 Gap Analysis phase is a key phase in designing control responsibility to stakeholders.
ISO 27001 Gap analysis will reveal gaps in all applicable domains such as ISMS governance, Application development, IT operations, Cloud Operations, Human resources, Physical Security, Supplier management etc.
Coral consultants will provide detailed recommendations for each identified gap with their recommendations.

Phase III - Control - Design, Documentation, Measurement, and Risk Management

ISO 27001 Control Design involves control allocation responsibility to organization stakeholders.
Documentation involves sharing and discussing 20+ policies and procedures across domains involving ISMS governance, Application development, IT operations, Cloud Operations, Human resources, Physical Security, Supplier management etc., as per applicable controls.
Risks identified in the gap analysis are tracked toward decision-making and closure. Some risks are quick wins, whereas others may take longer to close.
Control Measurement involves testing the control effectiveness and providing stakeholders with an objective performance of the ISMS
These phases may run in parallel or sequential based on the organizational dynamics.

Phase IV - Training & Brainstorming Sessions

Training of staff involved in ISMS operations is a key factor in successful ISMS implementation.
ISMS involves company staff involved in defining their internal security controls.
Our consultants will deliver a combination of trainings including awareness, risk management and standard interpretation
Each documentation or risk undergoes brainstorming with staff to derive at a ‘best-fit’ solution for the organization.

Phase V - Internal Audit and Management Review

ISO 27001 Internal audit starts with preparation of ISO 27001 checklist and selecting client staff as auditee, latter responsible for the controls.
Internal Audit involves verifying the effectiveness of the implemented lifecycle controls through interviews with system verification of applicable controls.
A formal report is published for management team.
We facilitate reviews with the management to ensure that the initial ISO 27001 policy objectives and goals are achieved.

Summary

At this stage:

As a result of undergoing these phases, Coral has implemented for a client an operational Information Security Management system (ISMS) that includes people, processes, technology and ongoing measurements.
Each of the ISO 27001 certification requirement has been completed by combination of one or more of policy, responsibility, report, record, technology, and automation.
The organization now has a plan that demonstrates its continued commitment like any other business function.
At this stage, the organization is ready for inviting external certification body to certify them to ISO 27001 certification.

Phase VI - External Certification Support

Chosen external certification body audit performs ISO 27001 certification in two phases:

Stage 1 – Documentation Review, and
Stage 2 - Implementation Verification

With the two phases completed, the certification body issues an ISO 27001 certificate.
Finally, upon receiving their ISO 27001 certificates, the clients are officially iso 27001 certified. This is the time to celebrate !!

Start Your ISO 27001 Journey Now!

ISO 27001 - 2022
Brief Overview

Control Area	Total Controls
Management Controls System	30
Organizational Controls	37
Personnel Controls	8
Physical Controls	14
Technical Controls	34
Total	123

ISO 27001 – 2022 consists of Management System requirements and Annexure Controls.
Management system requirements help to design the governance system, whereas annexure controls assist in choosing the applicable controls to reduce information security risks.
There are currently 30 individual requirements in the ISO 27001 Management System section and 93 controls in the annexure sections.
Listed below are further breakups on the annexure controls

ISMS – ISO 27001 FAQs

How fast can a company achieve ISO 27001 certification?
- ISO 27001 certification involves the presence of a management system and the successful implementation of the applicable annexure controls.
- Most organizations which are currently not certified have 20-30% of annexure controls already in place. How do we know this? This is based on our experience of the initial gap analysis.
- To achieve certification the organization needs to implement the pending applicable annexure controls and a system of governance.
- The speed is dependent on several factors including the choice of consultants, the organization's readiness to address the identified gaps, agreement on the policies and procedures, and a holistic approach that involves all functional heads involved in the journey.
- A small organization with 1 production network, 1 location, and less than 100 people would generally take 2-3 months to accomplish this.
- It is not necessary that a larger organization with more people will take more time, it is a function of determining the applicable control, identified gaps and how fast collectively everyone gets together to make those security decisions and the implementation.
- Do not forget to add the time that a certification body will take to perform stage 1 and stage 2 audits
- For a more precise discussion, reach out to us.
What are the mandatory requirements in iso 27001?
- Unfortunately, this is not a straightforward forward answer as you might think :-)
- But here is a sincere attempt.
- Management system controls (Clause 4 to 10) are mandatory
- The number of annexure controls is based on risk assessment.
- See the diagram above for 4 sections of the annexure controls.
- In the Anexure controls, few sections are mandatory, because in every organization there will be organizational, and personnel controls.
- For most organizations working remotely many of the physical security controls may not apply.
- The technical controls require assessment based on whether you have your data center or you are in the cloud. Whether you have an in-house development team or a third party. Based on those assumptions controls can be added or removed.
- For instance, if you don't have in-house application development, all controls that are linked to development and its network requirement are not applicable.
- For a more precise discussion on the applicability of controls, reach out to us.
What is information security?

Information is anything that has a business value. Security is the protection against loss of confidentiality, integrity and availability. Combined, in the context of any organization, information security is the protection of all information that business considers ‘valuable’.
What is information security management system (ISMS)?
- ISMS is an organization framework that defined a set of rules, policies, and procedures that ensures protection of information.
- ISMS is a management program driven by a management representative such as Chief Information Security Officer (CISO).
What is ISO 27001 certification?
- ISO 27001 is the certification that the organization achieves upon demonstrating that they have implemented the ISMS.
- ISO 27001 is a certificate issued by a certification body upon completing a 2- phase audit.
- An ISO 27001 certification is valid for three years subject to annual surveillance.
- ISO 27001 certificate provides assurance to your customers that you have implemented 'optimum-security' in all processes that handles sensitive data.
What are the benefits of implementing ISMS?
- Implementing ISMS helps an organization to protect their information and digital assets, proactively.
- Additionally, it reduces the opportunity of being hacked as systems and processes are designed to ensure that the organization and its information assets are secure.
- Processes such as risk assessment ensure all changes in the organizations consider security as part of the implementation.
- Controls such as threat intelligence ensures you are proactive as new threats develop in the wild.
- An annual calendar of 'management system' activities ensures that ensures there is an overarching role that is guiding the organizations security related decisions.
How much does it cost to implement ISO 27001 2022?
A number of factors play a role in determining the fee, such as:
- Scope of business, and information systems involved.
- Number of business locations.
- Number of networks including cloud service provider.
- Presence of application development in scope.
- Identified gaps or risks.
Please contact us, we are fairly quick in submitting a commercial proposal.
What are the key phases of implementing ISMS?

The phases of implementing include understanding the business, listing all information assets, conducting gap analysis, risk assessment and risk management, policy documentation, testing and measurement of controls, audit, and awareness of all stakeholders.
What are the roles and responsibilities for an ISO 27001 Certification Consultant?
ISO 27001 certification consultant has the following skills:
- ISO 27001 certification consultants combined the role of a business analyst, risk assessment specialist, security architect, and security policy specialist - all combined in one role.
- Main responsibilities include the ability to enable an organization to successfully iso 27001 certifications through a formal process of gap analysis, documentation, process measurements technical implementations, internal audit and measurement.
- Ability to explain the iso 27001 requirements to the organization that includes management, functional owners, and employees, and enable them to implement secure practices.
- Ability to perform security risk assessment and risk remediation.
- The ISO 27001 consultant should be aware of the latest changes in technology, security breaches, and risk management practices.
- Ability to draft and implement the company-specific policies, and procedures that drive security operations of the organization.
- Ability to articulate and communicate risk to the management that elicits risk mitigation decision.
- Manage an isms compliance program to support a dynamic business environment.
How to make a ISO 27001 Certification Checklist?
ISO 27001 checklist creation is a challenging but interesting task that includes on one hand, understanding of iso 27001 requirements, and on the other an organization’s business, strategic information risks, and their information assets.

ISO 27001 has control requirement covering several domains that includes the following domains.
- Strategic
- Technical
- Physical
- Personnel
- Suppliers
- Process
Phase A – ISO 27001 requirement checklist

The journey starts with getting a copy of the iso 27001 controls, and using the same to create a meta template in which against each requirement one should prepare the iso 27001 questions using one or more of the followings:
- What to ask?
- What to check?
- Whom to ask?
Phase B – Business requirement checklist

In the organization context, each business is somewhat unique, so the next step is to gather enough information about the organizations, such as:
- Main Business
- Products and Services
- Information to be secured
- Information Systems in Use
- Number and location of Users
- Applications developed
- Network locations
- Office locations
- Supplier List and their services
- Individual roles and nominations
With this, one has created the organization context necessary to apply the questions from the phase A.

ISO 27001 checklist is incomplete with just the standard questions, there is always a need to prepare the question in the context of the organization for which this is applied.

A complete iso 27001 checklist strategy therefore needs to have both the iso 27001 control checklist as well as organizational checklist.
What does the ISO 27001 certification body lead auditor looking for in certifying an organization?
ISO 27001 certification audit is valid for three years subject to fulfilment of the standard requirements by the organization. ISO 27001 certificate is issued by the certification bodies.

In the first year they perform two stages of the audit, namely stage 1, and stage 2.

Stage 1 audit is the documentation audit, where they look for documentation alignment with the applicable requirements as per the organizations Statement of Applicability (SOA).

Stage 1 questions are centred around company policies and procedures and demonstrate an organizations’ ‘intent’.

Stage 2 assessment aims at verifying the ‘implementation and effectiveness’. This phase is much more comprehensive where the iso 27001 certification body auditor looks for evidence of implementations across all domains and controls that are applicable to the organization.

Stage 2 focuses on the technical side of the implementations that includes the followings:
- Cloud security controls,
- Network security controls,
- Application development security lifecycle controls
- Human resource controls
- Physical security controls
- Supplier management controls
- Other ‘security management’ processes
Upon assured of the ‘intent, implementation and effectiveness’ the iso 27001 certificate is issued by the certification body to the organization.
How to define a scope statement in ISO 27001 certification journey?

"The scope statement is an important statement for any organizations iso 27001 certification as it reflects the business and supporting functions that support the information security management system (ISMS).

A scope statement generally has the following 4 parts:

Part 1: About the business, the sentence looks like:

information security management system (ISMS) applies to the delivery of [Software as a service (SAAS)] OR [business process outsourcing].

Part 2 – Industries that you serve, the sentence may look like:

The services cater to the healthcare industry.

Part 3 – Internal teams or functions:

ISMS is supported by internal teams such as Product Management, Application Development, Cloud Operations, DevOps, IT Operations, Human Resource, Legal, Procurement, physical security and business development.

Here you write functions as per the organization structure, all teams that participated.

Part 4 – Reference to Statement of Applicability (SOA)

This is as per Statement of Applicability (SOA) version 1.0

Note that the SOA is where all the applicable and not applicable controls are listed.
What is the ISO 27001 Statement of Applicability (SOA)?
SOA is a document created by the organization to demonstrate its alignment with the standard list of annexure controls.
- it declares applicable controls and those that are not.
- It defines the justification for both applicable and not applicable controls.
- It is the basis on which a company gets certified. SOA is used by the ISO 27001 certification auditor to make their judgment on the scope of compliance.
- As a best practice, we advise clients to add more columns in the SOA such as documentation and risk owner, a term to associate a control with a team, responsible for enforcement of the control in the organization.
How to fulfill the ISO 27001 cloud security requirements?

Cloud security is a shared responsibility. Each cloud service provider, be it SAAS, PAAS or IAAS, provides shared responsibility controls to its customers.

In our ISO 27001 Consulting Services, we assist clients in determining the applicable shared controls and assist them through the process of gap analysis, and implementation support.