Globeteam
ISO 27001
Feel free to contact me if you want to hear more
- Henrik Gissel Szokody
- hgs@globeteam.com
- +45 4245 8797
Manage your information security
Every company will have a different level of ambition in connection with information security and ISO 27001. Globeteam helps you achieve an information security management that is efficient and fits your company’s particular needs, while also ensuring efficiency throughout the process and continuous improvement.
There are various levels of engagement that a company may have with ISO 27001:
- Inspired: A company is inspired by the standards, typically in one or very few areas where it seems most relevant.
- Aligned: A company has structured its security work according to the standards and uses them as templates and guidance.
- Compliant: A company works according to the standards in all areas but has not achieved certification from an external third party.
- Certified: A company is certified according to the standards, typically by a recognised, global third party.
Stages of a typical ISO 27001 project
Our involvement in an ISO 27001 project will, of course, be tailored to your specific project objectives. There are a number of common stages in most projects, however, such as:
- Participation in the formulation of project objectives based on existing and expected requirements within information security. These requirements will generally be rather unstructured, often in the shape of laws, industry standards, authority and client requirements, on top of your internal wishes and needs. Here, our contribution will be to collect and structure those requirements.
- Gap analysis. Then, we carry out a review of the company’s current situation compared with the above-mentioned requirements, to identify areas that deviate from said requirements. The gap analysis is then presented to the management along with a rough project plan and a resource estimate for eliminating the identified gaps.
- A workshop. The project plan, objective and resource estimates can be discussed, attitudes can be aligned, and decisions can be made. Normally, we facilitate the workshop, and the company would typically be represented by the management, client-oriented functions and the IT department.
- At the workshop, our future role in the project will also be discussed. Of course, we can deliver specialist input, project management and “raw” resources for the project, but the right degree of involvement has to be found, striking a balance with your own skills and resources.
- After the workshop, we adjust the project plan, etc. based on the inputs received. Then, the agreed upon tasks are distributed in accordance with the adjusted project plan.
- The project’s progress is monitored in accordance with the project plan and project management model that are agreed upon with your management.
Specially trained compliance consultants
Our compliance services are only delivered by consultants who have completed formalised training within information security and data protection/GDPR and/or are certified within these areas.
Due to their longstanding practical experience, the consultants, of course, also have a business approach to solving the task. This ensures that the solutions we come up with are specifically adapted to your company.
Among others, international and national training/certifications include:
- Certified ISO/IEC 27001 Lead Implementer
- Certified in the Governance of Enterprise It
- Certified Information Systems Auditor
- Certified in Risk and Information Systems Control
- Uddannet i GDPR/persondatabeskyttelse
- Certified Data Privacy Solutions Engineer
Why should you comply with ISO 27001?
The many different and complex requirements within information security make it increasingly necessary for companies to implement a “management system” for IT security work. ISO 27001 is an international management system, and it has the advantage of being the de facto standard in Denmark and the rest of Europe, making it easy to use to gain help and assistance for security work.
Many clients are now directly or indirectly dependent on their providers being able to manage the issue of IT security and also document it. So much so that it is becoming an increasingly common requirement in provider management, and is incorporated in collaboration agreements, often in the form of a requirement about product responsibility insurance. To aid transparency in these scenarios, it is common that requirements are set out in the shape of compliance with a standard. In most cases, this is ISO 27001.
Apart from clients having the safety of IT security being managed correctly via an ISO standard, this standard also means the company’s management and employees have a tool for determining appropriate security levels and future management. They can be sure that information is handled and protected in the right way to lower the risk of security violations. This method is not just about ensuring that the management and employees become involved in relevant decisions; it also future-proofs the business and strengthens competitiveness.
GDPR and ISO 27001
The ISO standard provides useful and relevant guidelines for the management of information security and is a really good foundation for all organisations that want to work with this in a professional and structured way. However, use of the standard is not a guarantee that you are acting in accordance with the rules that the EU Data Regulation and the Privacy Law set out.
When you implement a management system like ISO 27001, there are many things you have to decide, including which areas of the law the system should incorporate. It is therefore important that you take into account the relevant law requirements that are set for the company, be that GDPR, financial laws, health laws, administrative laws, etc.
- Establishing a project framework/goal: Determining objectives, milestones, set of rules, overall distribution of tasks and project finance and solution model.
- Carrying out a maturity assessment/gap analysis: Identification of areas in the company that fulfil and deviate from the project’s goals.
- Establishing and approving a project plan for solutions: If possible, deviations have been identified in the maturity assessment, we establish a solution proposal.
- Carrying out a solution plan: The solution plan is carried out based on an agreed-upon distribution of tasks between Globeteam and the client and involvement of an accountant at relevant stages.
- Developing a statement of assurance: In collaboration with the client, we can develop a draft of the statement of assurance and coordinate the work with the accountant right up until the signed statement.
- Project evaluation: An overall evaluation of the project’s fulfilment of goals based on the project frameworks is carried out, with proposals for adjustment of next year’s project.
What is ISO 27001?
ISO 27001 is the result of a global collaboration involving thousands of experts within information security. The standard itself is a long document describing the areas that you as an organisation should review and assess in connection with your work in information security.
The ISO standard includes a foreseeable structure and recommendations for how to plan, implement and manage your work with information security in areas such as:
- Organisation of information security
- Regulatory frameworks, i.e., the Privacy Law, bookkeeping law, the national security decree, and other relevant industry-specific laws
- HR security
- Access control
- Encryption
- Physical security
- Communication security
- Provider relations
- Information violations