Phase II: Remediation & Implementation
All organizations will have gaps and deficiencies within their information security, cybersecurity, and privacy controls - that’s no surprise - so don’t be alarmed. It’s difficult - almost impossible - to have a full-proof set of policies, procedures, and processes that encompass and cover every possible control. For that reason, the Phase II Remediation & Implementation phase is often the most time-consuming and intensive phase within the entire ISO/IEC 27001 lifecycle of activities.
When we talk about remediation for ISO/IEC 27001, MorganHill is primarily focusing on the following four (4) key areas:
- Organizational Culture
- Systems & Security
Organizational Culture: Any type of meaningful change within an organization is dead on arrival without executive support - and without employees also truly embracing the necessary changes that must come about. Therefore, setting the tone in terms of expectations, roles, responsibilities, and the need to truly embrace information security, cybersecurity, and data privacy best practices is absolutely important. MorganHill will work with your organization to help reset and re-establish that cultural change that is so vital to the success of ISO/IEC 27001. How do we do this, by undertaking the following proven methods:
- Gain Senior Leadership Approval: Any major initiative undertaken by an organization needs and requires the full support of senior leadership, without it, there is simply no traction. The same goes for one’s ISO/IEC 27001 initiatives - you need full buy-in and support, and we help develop a true and credible narrative - and a proven process - for obtaining that essential buy-in. With leadership on board 100%, obtaining ISO/IEC 27001 certification becomes much more manageable and attainable.
- Earn the Trust of Employees: Nobody likes change, especially when it comes to a new set of strictly enforced information security, cybersecurity, and data privacy requirements. It’s therefore to earn the trust of employees by making them well aware of the many positives that ISO/IEC 27001 can bring to the table, not only for the organization, but for their specific job.
- Ensure it’s a Team Effort: Employees need to know that earning and maintaining ISO/IEC 27001 certification is everyone’s responsibility, a true team effort from beginning to end. Everybody plays an important role in helping the organization through the overall ISO/IEC 27001 journey. When this is properly communicated, it immediately creates a culture of communication, sharing, and an attitude of “let’s all get this done.”
Documentation: A large part of remediation in terms of successfully preparing an organization for ISO/IEC 27001 certification is developing all required policies and procedures - and other supporting documents - for each of the respective controls within Annex A of the ISO/IEC 27002:2022 publication. Policies and procedures are a big, and growing part of regulatory compliance, and that’s very true for ISO/IEC 27001.
If you ask us what’s the largest amount of time MorganHill generally spends on an ISO/IEC 27001 engagement, it’s developing the massive amounts of documentation needed for certification. From access control policies and procedures to incident response plans, business continuity planning, there are literally dozens of information security, cybersecurity, and data privacy policies, procedures, programs, and plans that MUST be developed for earning ISO/IEC 27001 certification.
With MorganHill, we’ve taken the time to develop industry leading, high-quality ISO/IEC 227001/27002 policies and procedures templates, along with other necessary documentation. While ISO/IEC 27001 certification requires comprehensive, well-written policies and procedures to be in place, remember that organizations need to act on and execute on what the actual policies say and what the procedures require you to do. With our ISO/IEC 27001/27002 policy templates, they do just that. Want a sure-fire way to speed up the ISO/IEC 27001 journey? Make sure you start the process with high-quality templates, such as those offered by MorganHill.
Operations: Documentation (i.e., policies, procedures, etc.) is important - this was just discussed - but it’s just as important to implement and remediate operational gaps found during the ISO/IEC 27001 Scoping & Gap Assessment. When we talk about ‘operational’ gaps, the following come to mind:
- Implementing security awareness and training.
- Developing and implementing structured and formalized onboarding and offboarding processes for users.
- Undertaking background checks on employees.
- Performing employee reviews.
- Developing and implementing a Third-Party Risk Management Program for monitoring suppliers.
- Performing an annual risk assessment.
The above measures are excellent examples of the many operational gaps we find during our Phase I ISO/IEC 27001 Scoping & Gap Assessment. MorganHill has the expertise, knowledge, manpower, and resources you need to confidently remediate all operational gaps - quickly and efficiently.
Systems & Security: Designing, implementing, and maintaining an ISMS ultimately requires the use of various system security tools and solutions. When we talk about ‘systems & security' measures to implement, the following come to mind:
- Network security and system security.
- Vulnerability Scanning.
- Penetration testing.
- Network alerting, monitoring, and logging.
- File system monitoring and logging.
- Endpoint (i.e., desktops and laptops) monitoring and logging.
- Two-factor/multi-factor (2FA/MFA) authentication.
- And more.
The above measures are excellent examples of the many systems & security measures which organizations need to implement to secure their IT infrastructure. MorganHill has the expertise, knowledge, manpower, and resources you need to assist in terms of selecting, acquiring, and implementing any number of high-quality system security tools and solutions.
What drives an organization - any organization - in terms of its business?
The people, that’s who, and more importantly, the culture of the organization. That’s why the very first step in an ISO/IEC 27001 Scoping & Gap Assessment is having a healthy dialogue on all things relating to information security, cybersecurity, and privacy.
First Step: Why are We Here?
“Why are we here” with regards to ISO/IEC 27001 is the very first question we ask our clients. Specifically, what has brought about the need for obtaining ISO/IEC 27001 certification? Those simple four words are all that’s needed to start the dialogue and begin to truly understand the organization’s culture, its strengths, weaknesses, and the road that lies ahead in terms of ISO/IEC 27001. Before we even begin to discuss what an Information Security Management System (ISMS) is - and all other other aspects of ISO/IEC 27001 - we want to learn about your organization, your people, your processes - your culture.
A successful Q&A requires participation from a cross-sectional representation of personnel from various departments, allowing for a healthy discussion on the broader topics of information security, cybersecurity, privacy - and anything else that’s relevant. There’s a time and place in the ISO/IEC 27001 Scoping & Gap Assessment for doing the prescriptive, check-the-box activities, but that comes later.
Second Step: Assessing & Understanding Scope and an ISMS
Next, it’s critical to assess, understand, and ultimately, define scope in terms of ISO/IEC 27001. This brings into the conversation what’s known as an information security management system (ISMS). Specifically, an ISMS is a framework of well-written policies, procedures, processes - and other related measures and initiatives - that systematically manages information security, cybersecurity, and privacy risks throughout an organization.
Furthermore, an ISMS includes the processes, people, technology, and procedures that are designed to protect against unauthorized access, use, disclosure, disruption, modification, or destruction of information. Therefore, to gain ISO/IEC 27001 certification, auditors will want to examine all the various measures that constitute a sufficient ISMS in terms of its policies, procedures, processes - and other related measures and initiatives. With MorganHill, we’ll bring you to speed on all the specifics of an ISMS.
Third Step: Understanding & Assessing ISO/IEC 27002 Annex A Controls
For the third step in the Phase I Scoping & Gap Assessment, organizations will then assess their environment against the list of 93 Annex A controls found within ISO/IEC 27001:2022 and ISO/IEC 27002:2022 and begin the process of determining which controls are deemed in scope for the ISMS, and ultimately, for working towards ISO/IEC 27001 certification. When reviewing each of the 93 controls for scoping purposes, it’s important to assess their applicability in terms of the following three information security requirements:
- Overall business risks
- Legal, statutory, regulatory and contractual requirements
- The principles, objectives, and business requirements an organization has developed to support its operations.
Just remember to start to think about what these three information security requirements really mean in terms of impacting your organization. And it’s important to note that a risk assessment should be performed during this stage for helping better understand scope, overall business risks, and for helping ensure that the SoA, (an important component which must be developed) aligns the organization’s needs.
While ISO/IEC 27001 provides no specifics on the type of risk assessment - and risk treatment process - they do provide a list of required criteria that should be included. With MorganHill, we’ve developed a highly useful and adaptable Information Security Risk Assessment Program that covers all areas as required by sections 6.1.2 and 6.1.3 of ISO/IEC 27001: 2022.
Fourth Step: Gap Assessment Findings, ISMS and Statement of Applicability (SoA)
The end result of the Phase I ISO/IEC 27001 Scoping & Gap Assessment is a formalized document detailing the initial findings and next steps in remediating all deficiencies found. Additionally, you’ll also have a solid footing in terms of being able to document your ISMS in a brief, yet detailed narrative summary.
And lastly, you’ll be provided with what’s known as an ISO 27001 Statement of Applicability (SoA), which is a document that essentially summarizes an organization's position on each of the 93 Annex A Controls. The SoA will be collaboratively developed - and agreed upon - by both parties involved (i.e., your organization and MorganHill). More specifically, a well-written SoA must:
- Identify which controls an organization has selected to tackle identified risks.
- Explain why these have been selected.
- State whether the organization has implemented the controls; and
- Explain why any controls have been omitted.
Begin your ISO/IEC 27001 journey today with our industry leading ISMS 27001 Scoping & Gap Assessment Workbook. Our comprehensive, in-depth ISMS 27001 Scoping & Gap Assessment Workbook will help organizations clearly define the scope of their Information Security Management System (ISMS) as required by ISO/IEC 27001.