Information Security Management System (ISMS) and ISO certification (ISO 27001)

As you aim to achieve international recognition and access to the global digital market, consumer trust is won through the assurance of having a proper ISO 27001 certified Information Security Management System (ISMS) in place.

CONTACT US

Our Professional Services

ISO 27001:2013 Information Security Management System (ISMS)

Our experienced team of in-house ISO consultants can plan and guide you through this process smoothly, covering critical areas for your company, as follows, to ensure you are well-established.

What is ISO 27001 certification?

The ISO/IEC 27001:2013 certification is commonly known as the ISO 27001:2013 Certification. It refers to the Information Security Management Systems. As the name implies, it is an international standard for information security management. This international standard has become more prevalent in recent years due to the rapid digitisation of economies and society.

It was first published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which explains why it is called ISO/IEC 27001. Later on, in 2013, it was revised to become the latest version of ISO/IEC 27001:2013.

What are the benefits of getting ISO 27001 certification?

The most tangible benefit of having certification to the global standard – ISO/IEC Information Security Management Systems, is access to markets. In most countries, there are legislation and/or regulations in place to ensure the safe handling of information. Some examples of legislation and regulations are:

  1. General Data Protection Regulation (GDPR) – Compliance to this regulation is mandatory in the European Union as long as your organisation handles any forms of personal data.
  2. Health Insurance Portability and Accountability Act (HIPAA) – Compliance to this legislation is mandatory

 

If unfulfilled the products would not be able to be marketed. That usually forms the largest barrier to market entry.

If that is not already the most obvious benefit, companies with the ISO 13485 certification can also:

  • Meet customer requirements and increase customer satisfaction, through quality systems, meet product requirements and brand reputation;
  • Meet the requirements of an applicable statutory and regulatory requirements;
  • Address product requirements, product quality and product safety without losing focus on business operations;
  • Improve clarity on management responsibility, decision making processes;
  • Provide guidance towards proper resource management, including the people, infrastructure, processes involved, and overall work environment; and
  • Show commitment and focus towards patient safety.

The Information Security Management System (ISMS) standards included detailed requirements needed for companies to set up, implement, maintain and continually improve their information security management systems.

By being certified to the ISO/IEC 27001:2013 certification, it is a validation that your organisation is putting resources into protecting the information assets that you have painstakingly built or invested in.

ISO 27001 certification process

Getting ISO 27001:2013 certified is a lengthy process, which requires a prolong period of time ranging from six months to year depending on the requirements of your organisation. However, here are the key steps to achieving ISO 27001:2013 certification.

Step 1: Learning about the ISO 27001 standard

Start off by learning the clauses and requirements for the ISO 27001:2013 standard. You would want to know the specific requirements in order to understand how to build your own information security management system.

Step 2: Developing a ISO 27001 project plan

Starting from this stage, you can engage an external ISO consultant to collaboratively plan the whole project with you. Through this project planning phase, you will be able to identify the various scopes, objectives and requirements of your information security management system (ISMS) project.

It is important to list out the timeline and prerequisites in order to prevent bottlenecks from occurring within the duration of your implementation project.

Step 3. Perform risk assessment & gap analysis

Next up, you should perform a risk assessment on your organisation’s current information security management system to determine the current and potential information security risk, using the results to gauge how your organisation fare in terms of information security risks.

This includes performing the risk assessments on all information assets that may store important information such as your customer’s personal data, intellectual property, employee details and business information.

Concurrently, you should also perform a gap analysis to determine whether your current information security management system has met the requirements of the ISO 27001:2013 standard.

A risk treatment plan and/or business continuity management plans must be drafted out to either mitigate or lessen the impacts of the security threats found within your information assets. It is a proven and pragmatic approach for every organisation to have robust information security controls in order to provide assurance to relevant stakeholders.

Through this risk treatment plan, information security controls can then be applied and verified against all 114 controls defined in Annex A of the ISO/IEC 27001:2013 standard. Through this exercise, a Statement of Applicability will then be generated, determining which controls are applicable and if not, the justification for it.

Step 4. Training your organisation

In the process of getting your organisation certified, you should start training employees on the various requirements, legal and regulatory obligations of the ISO 27001:2013 standard.

Training can be done internally if you have the expertise or you can send your employees out to external organisations that conducts ISO 27001:2013 training courses.

Step 5: Documenting of evidence

Certification and audit is a lengthy process which requirements extensive amount of documents, thus it is crucial that you store all the documents in a organised and secured manner.

Our proprietary software Stendard Solution™ specialises in document storage and management which is perfect for this situation.

Step 6: Implementing ISMS and undergoing certification audit

The next stage of certification process would be to implement your information security management system and liaise with a certification body to conduct an audit on your information security management system to assess its performance and compliance.

Step 7: Monitor and remediate

ISO 27001 certification is a continual improvement process, it is important to constantly review your business operations against the documented information security management processes to ensure that you are always in compliance with the standard.

Any discrepancies found must be remedied and reviewed so as to not risk failing the subsequent audits.

Stendard's ISO 27001 consultants in Singapore (competitive edge)

1.

Listening to your team, your industry and your market interest to understand the appropriate pain points and requirements that applies to your company;

2.

Custom scoping of your ISMS, with a detailed explanation of the risk management process, as well as the explanation of the certification process;

3.

Ensuring the relevant Control Objectives and Controls are well-established in accordance with best practices;

4.

Ensuring the competency of your team regarding ISO 27001:2013 standards and requirements, which includes the conduct of training courses;

5.

Providing guidance or performing annual internal audits with the relevant departments; and

6.

Performing a deep dive through internal audit services with your whole organisation, in preparation of ISO 27001 certification;

7.

Setting up links to the third-party auditing body or accredited certification body.

ISO 27001 certification cost in Singapore

The costs of obtaining a ISO 27001 certification may vary depending on unique organisational requirements. For a more accurate price gauge, contact us and one of our consultants will get back to you as soon as possible!

Also, we have multiple offices in both Singapore and Indonesia, we are able to support you and your organisation within this region and beyond.

Using of Stendard Solution™ to facilitate our consultancy services

We pride ourselves in using technology to enhance our services as compared to the traditional paper-based documentation processes.

Using our proprietary Stendard Solution™ software, we are able to empower our consultants and clients through providing various vital documentation functions such as:

  • Secured document storage
  • Seamless organisation and retrieval of documents
  • Easy to use document control function
  • Electronic signing of documents
  • Detailed workflow and tasks management function
  • Robust access control and security measures to ensure maximum security of your documents and files

 

These are just some of the features that we provide on Stendard Solution™, there are many more functions that we can provide to help you achieve regulatory compliance. To know more, you can contact us or even try it out yourself!

Our consultants advise on which standard applies to your organisation

Our consulting team uses a systematic approach to best advise which of the international standard(s) your organisation should abide by, to ensure appropriate compliance where necessary. 

Many organisations are surprised by the fact that more than one ISO standard is applicable to their processes. We have helped many organisations like that to address this and effectively integrate them to avoid unnecessary overlaps.

ISO 13485:2016

Quality Management
Systems (Medical Devices)

ISO 22000:2018

Food Safety Management Systems

ISO 27001:2013

Information Security Management Systems

ISO 22301:2019

Business Continuity Management Systems

SS 620:2016

Good Distribution Practices for Medical Devices(SG)

SS 444:2018

Hazards Analysis and Critical Control Points

EU Medical Devices Regulations (Upcoming)

ISMS Compliance

Our consultants scope your Information Security Management Systems, setting up appropriate processes, procedures, records and other documents

Keeping in mind your current business and operational practices, we work closely with your team to develop an Information Security Management System (ISMS) with minimal disruption to ongoing business activities. Building on existing procedures and within your physical capacity, we ensure compliance to ISO 27001 standards through the introduction of additional procedures as needed.

Our systematic approach to ISMS implementation provides a clear timeline for project milestones to be reached. Enjoy time saved through efficiency as we work closely over our Stendard Solution™ platform, which allows for the smooth assignment of tasks and online collaboration.

We will also provide an in-depth explanation of what is required to achieve an effective ISMS. Taking a risk-based approach to information security, much of the standard’s requirements revolve around identifying information security risks. At this point, we will introduce an effective risk management process that is applicable for your organisation, addressing the risks and opportunities through thorough risk assessment and risk treatment plan before selecting appropriate controls to tackle them. This is essential in giving all interested parties the confidence that the risks are properly managed.

In the next steps, we will explain more on what are the control groups and controls recommended as part of ISO 27001.

Adherence to Control Groups and Controls

Our consultants ensure that relevant Control Objectives and security controls are well-established

The Annex A of the ISO 27001 standard lists the 14 main control groups, originally published to provide guidance towards an effective ISMS. The 14 control groups are as follows:

  1. Annex A.5: Information security policies — Consisting of 2 controls, Annex A.5 ensures that your organisation has written and reviewed the policies to align with your organisation’s operational practices.

  2. Annex A.6: Organisation of information security — Consisting of 7 controls, Annex A.6 ensures that responsibilities of the specific tasks have been allocated. It encourages the organisation to have a centrally managed framework to implement and sustain information security practices and is designed to ensure that anyone working from home or anywhere else is still following the compliant methods.

  3. Annex A.7: Human resource security — Consisting of 6 controls, Annex A.7 ensures that all internal staffing and 3rd-party vendors understand their respective responsibilities. It addresses the obligations before, during and after employment (or if there is a role switch).

  4. Annex A.8: Asset management — Consisting of 10 controls, Annex A.8 ensures the proper identifications of information assets and the definition of responsibilities to protect them. It provides guidance in proper asset identification and valuation steps, ensures appropriate defence level against threats, and protects sensitive data against unauthorised disclosure, alteration or damages.

  5. Annex A.9: Access control — Consisting of 14 controls, Annex A.9 ensures that internal staff can only view information relevant to their respective role by addressing access controls on the data, systems & applications, and the management & responsibilities of users.

  6. Annex A.10: Cryptography — Consisting of 2 controls, Annex A.10 covers the encryption and management of sensitive data. It ensures that your organisation uses cryptography effectively and adequately to protect data privacy and integrity.

  7. Annex A.11: Physical and environmental security — Consisting of 15 controls, Annex A.11 is the most extensive Annex in ISO 27001. It positions your organisation’s physical and environmental security. The primary purpose is to restrict unauthorised access, threats, damage or interruption to the physical premises or the sensitive data held within.

  8. Annex A.12: Operations security — Consisting of 14 controls, Annex A.12 ensures your facilities that process any types of data are secured. This Annex includes coverages on:
    – Operational procedures and responsibilities of roles,
    – Defences against malware and threats,
    – System back-ups to prevent data loss,
    – System logs, which can be used as documented evidence when incidents occur,
    – Protection on the integrity of operational software,
    – Protection against technical weakness, resulting in unauthorised exploitations
    – Minimisation of disruption on operational systems caused by the various audits activities.

  9. Annex A.13: Communications security — Consisting of 7 controls, Annex A.13 guides the way your organisation protect data in networks. It includes managing network security & ensuring that data privacy, availability and integrity in those networks remain intact. It also covers the protection of transiting data amongst internal staffing and 3rd party vendors.

  10. Annex A.14: System acquisition, development and maintenance — Consisting of 13 controls, Annex A.14 ensures that data security remains the focus of your organisation’s processes. It covers the requirements for the security of your internal systems and those that render services over public networks.

  11. Annex A.15: Supplier relationships — Consisting of 5 controls, Annex A.15 addresses the agreements your organisation have with 3rd parties suppliers. It directs the protection of your organisation’s information assets that are accessible by suppliers. It is also designed to ensure that all parties are committed to maintaining the agreed level of information security throughout the collaboration.

  12. Annex A.16: Information security incident management — Consisting of 7 controls, Annex A.16 directs the management and reporting of information security incidents. It identifies the roles and responsibilities of internal staff during contingencies, thus ensuring a consistent and practical response to incidents.

  13. Annex A.17: Information security aspects of business continuity management — Consisting of 4 controls, Annex A.17 ensures an effective response to disruptions in business operations. It focuses on the continuity of best practice (ISMS) – suggesting measures to ensure that information security continuity is part of your organisation’s business continuity management system (BCMS). It also addresses the redundancies, making sure of the availability and integrity of data processing facilities.

  14. Annex A.18: Compliance — Consisting of 8 controls, Annex A.18 ensures that your organisation correctly recognise relevant laws and regulations. It encourages you to understand the legal requirements, reducing the risk and penalties of non-compliance.
 

Based on the brief outlook, the 14 control groups and 114 control clauses under the ISO 27001 can seem very overwhelming to enforce. However, not all 114 of ISO 27001’s controls must be implemented, what was originally published in Annex A is a list of possibilities for your organisation to consider, based on your requirements.

To add another layer of assurance, our experienced consultants can ensure that your team sets up the relevant information security controls relating to internal manpower and 3rd-party vendors, in order to address both physical and digital security concerns. We will advise on a full scope of details required with regards to access controls, communications security, manage information assets, and even considerations with the setting up of your physical office or arrangements for remote working. Any regulatory requirements to comply with will be highlighted as well.

Post-setup of your Information Security Management System (ISMS), internal, and supplier audits would need to be performed on a regular basis (usually annually) to ensure compliance to regulations and standards. As required, we will walk the ground with you during these audits to ensure that all activities are compliant.

Audit Preparation

Our consultants can assist in annual internal audits

We understand the pressure to prepare for ISO 27001 audits conducted by external auditors.

Through years of experience with certification audits, our consultants will have you prepared for official audits conducted by your appointed certification bodies.

Using a systematic approach, our consultants are able to perform independent internal audits to support your team with identifying any issues and rectify any non-compliance, in preparation for your ISO 27001 certification audits. These may be seen as pre-certification gap analyses or mock audits, performed to highlight gaps in the ISMS that may need to be addressed and to suggest steps to implement the solution.

At this stage, we would also share the necessary steps in maintaining the best practice (ISMS) to make sure that your organisation stays compliant all year round until the next annual audit.

Training and Competency

Our team ensures the competency of your team regarding ISO 27001 standards and requirements

We include a combination of online and in-person deep dive training to make sure everyone within your team understands the requirements of the regulations and ISO 27001 standards, as well as to implement your ISMS processes and documents (i.e., procedures, records and etc.).

Frequently Asked Questions

At Stendard, we always advice interested parties to engage a professional team of consultants such as our Stendard team to simplify the arduous and complex process for you.

All we need from you is your undying determination to achieve regulatory compliance!

The purpose of being ISO 27001 certified is to ensure that your organisation has a robust information security management system to protect your digital assets (e.g. customer personal data) against malicious individuals.

It also provides you with a scalable framework to constantly monitor, review and improve your ISMS, ensuring that you will always be able to deter information security threats regardless the size and complexity of your organisation.

ISO 27001 certification is definitely worth every penny to all organisations who has digital based assets. Here are the reasons why:

Enhanced corporate reputation

Being ISO 27001 certified means that you have the tools in place to strengthen your organisation across the three pillars of cyber security: people, processes and technology. This enhances your company’s image among the various stakeholders.

Avoidance of regulatory fines

ISO 27001 helps you to avoid the costly penalties associated with non-compliance with data protection requirements.

Ensure robustness and scalability of information security management system

As your organisation grow, people will start getting complacent and lose sight of their responsibilities regarding information security.

ISO 27001 helps you to create a system that has enough flexibility to ensure that everyone maintains their focus on information security tasks. It also requires organisations to conduct annual risk assessments, which help you make changes where necessary.

Ultimately, weighing the cost of ISO 27001 implementation versus the potential information security costs, it is always advisable to go with the former.

Any organisation who is operating based off digital data and information should be looking to get ISO 27001 certified because it provides stakeholders with confidence and assurance through protection of digital assets.

Do you have any questions?

Drop us an inquiry now!