What is our ISO 27001 Consulting Process?
Getting ISO 27001 Certification can be challenging. With over 20 years ISO consulting experience working with many organizations & industries, we have developed the Kelmac Group® 9-Step Roadmap to Going Beyond Certification and invite you to select the below icons to learn more about each step and learn about how we can add enormous business value to your processes and how you operate as a business.
Step 1 Foundation
This module focuses on the organization’s top leadership team and planning. The aim is to ensure the Top Leadership team can actively lead, participate and manage the management system from the outset.
This stage includes:
Information Security Organizational Health Assessment
Do you need customized services to assess the information security health of your organization and get a detailed overview of its alignment with the ISO 27001 standard? Apart from our 9-Step approach which includes an in-depth research into the organization’s information security environment, we provide health assessment as a separate service as well to help organization’s get a real-time view of their information security posture. The output is an Information Security Health Assessment Report which provides top management with a view of the gaps identified. Additionally, this also educates top management on the benefits of implementing the ISO 27001 ISMS framework ensure compliance to industry best practices.
Business Case Preparation and Presentation
After we conduct an organization health assessment and based on the gaps noted during that exercise, we can assist management to prepare a business case which will provide a comprehensive overview of the risks identified and how we can assist in implementing ISO 27001 which will help address the risks and issues identified. This will be presented to top management to make them aware of the identified risks and benefits of implementing ISO 27001 to mitigate these risks and continue to maintain robust ISMS catered to their organizational goal and objectives.
Step 2 Process/Risk Management
This module focuses on the the organization’s business and management system processes and product/process risk assessments. The aim is to build and/or enhance the organization’s process and to identify the related product and process risks, risk mitigation and controls.
Step 3 Objective/Process Alignment
This module focuses on the design of the organization’s internal controls including alignment between goals and process controls. The aim is to ensure the business internal controls meets the needs of the organization.
Step 4 Human Resource System
This module focuses on the design of the organization’s structure, people, culture/behavior, and competency framework. The aim is to ensure the organization structure, culture, behaviors and HR system supports the organization management system.
Step 5 Information Security Health Assessment & Controls
This module focuses on the health assessment and design and development of the organization information Security Controls based upon ISO/IEC 27002. The aim is to ensure the information security controls protects the organization’s commercially sensitive information assets.
This stage includes:
Information Security Health Assessment/Controls
Successfully completed the ISO/IEC 27001 ISMS Stage 1 Audit but not sure of the adequacy of the controls and their operating effectiveness which will be tested in the Stage II certification audit? We provide end to end services to help an organization implement the necessary information security controls as required by the ISO/IEC 27002 standard. We ensure that the controls within the organization are designed appropriately based on the risks identified and that they are operating effectively which is a requirement for a successful ISO/IEC 27001 certification to be achieved.
Step 6 Document Management System
This module focuses on the design and development of the organization document management system. The aim is to the document management system is effective.
Step 7 Implement The Management System
This module focuses on implementation of the organization management system. The aim is to ensure the management system is flawlessly implemented and expected benefits are fully realized.
Step 8 Check The Management System
This module focuses on verification of the organization management system. The aim is to ensure the organization’s verification system provides stakeholders with the assurance and insight to improve performance, if required.
Step 9 Certification Audit
This module involves coaching/mentoring during the initial certification audit process. The aim is to ensure the initial certification outcome is successful.
How Long Does It Take To Achieve ISO 27001 Certification?
One of the most common questions with this type of project that needs to be answered is ‘how long does it take’. There are various considerations but the main ones include: is there a hard client/contract deadline? Are there available resources to support the project internally? Plus, the exact scope of work required and any potential complexity are key considerations. Many organizations will want to aim for an efficient turnaround but it is common that the amount of work required can be underestimated. The below gives an example of average timelines from start to certification based on the size of the organization – these are guidelines only. Each project varies & in all cases, is based on the client needs.
The average for a small business would be between 6 – 9 months. In general, the shorter the timeline, the higher the intensity of the project. A key consideration is whether there are available resources who can commit to the agreed workload required for the preferred project duration.
This is the average project duration in the experience of Kelmac Group®. A 9 month project has moderate intensity but generally doesn’t overload a client, particularly where resources who will be involved on the project internally will already have other priorities and responsibilities.
This is a conservative project duration for small to medium enterprises but one that is common on larger, more complex projects. Certain projects may even extend up to 18 months.
*each client project varies, the above are project averages to serve as a guideline only
What Resources Do We Need For An ISO 27001 Certification Project?
Each and every business is different and it depends on the availability of resources and whether or not they have the ‘bandwidth’ to meet the internal demands of the project. An average project would involve 2-3 internal resources sharing responsibilities as part of the project.
There are similarities between what challenges resources face whether you are a small, medium or large enterprise. An average project would involve 3-5 internal resources sharing responsibilities as part of the project.
This would vary for each enterprise based on the scope of the project and its complexity – including the enterprise’s structure. As an average, we have seen specific steering committees formed including implementation teams of 20+ assigned. The size of the organization, number of locations and complexity would more accurately determine the level of resources involved and would be a key outcome from Step 1 in the Kelmac Group® 9-Step Roadmap.
Our Consulting Service Includes
Our strategy development can help organizations to develop their information security strategy in alignment with their business objectives and goals. We conduct in-depth research of an organization’s policies, processes and procedures and the vision and mission defined to be achieved in order to help the organization prepare a comprehensive information security strategy.
Governance and Risk Compliance
The core of an organization’s overall information security posture lies in how strong the information security governance and risk compliance function is. Management’s commitment to ensuring a well-controlled, monitored and overarching risk management function within its organization cannot be underestimated. Popular real life stories of huge financial and loss of reputation due to information security breaches and non-compliance with regulatory requirements over the years are known to all. Our governance and risk compliance services focus on aligning the organization’s business model to its information security model enabling top management to set the ‘tone at the top’.
Information Security Training
Gaining an ISO 27001 Certification can be an intimidating task. We provide training on how to develop the documentation required for ISO 27001 at each step of the process and ensure that the training not only helps you understand the requirements and methods but also help you maintain the documents on an ongoing basis. We provide the following ISO 27001 related specific training with our consulting service:
- ISO/IEC 27001 Executive Awareness
- How to conduct a PESTLE Analysis
- Process Management Training
- Procedure Development Training
- Risk Management including RTP Methodology Training
- Document Controller Training
- Management System Awareness Training
- Internal Auditor Training
Information Security Program Management Support
We provide both post and pre-implementation support for ISO/IEC 27001 ISMS through our coaching and mentoring services. Whether it be our existing clients or new clients who require additional support to maintain their ISMS in accordance with ISO/IEC 27001. Our coaching and mentoring program ensures that an organization gets certified successfully in the surveillance audits conducted on a yearly basis for 3 years by the ISO Certification Body/Registrar as well as in future ISO/IEC 27001 re-certification audits which is conducted on the 3rd year from the year the organization was certified to be ISO 27001 compliant.
Information Security Risks are changing every day in this dynamic work. We provide information security risk assessment services as part of our service for the implementation of an ISO 27001-based ISMS. Additionally, we also assess the current risks and threats that our client organization faces and the remediation actions it needs to take to control or eliminate the risk. We ensure that an organization is aware and up to date in its risk analysis and risk treatment on a dynamic basis.
Information Security Analytics
Having challenges with measuring and monitoring the effectiveness of your organization’s ISMS? We assist you to implement a comprehensive security analytics system within your organization that enables top management to tangibly measure and monitor the information security compliance posture within the organization. Once implemented, we provide training on what to monitor and the critical metrics to review on an ongoing basis to ensure your ISMS is functioning as intended.
Request a Call Back
Our team is here to help,
call us on 1.312.496.6607
See What The Kelmac Group® Can Do For You Get in touch with us today!
Would you like us to call you back to discuss it?
IRCA Certified FSSC 22000 Lead Auditor Training Course
Another successful IRCA Certified FSSC 22000 Lead Auditor Training Course took place last week in Chicago and Kelmac Group® would like to take this time to thank all who attended and helped make it such a success. We hope you had as much fun with the learning experience as we did delivering it. The IRCA … Continue reading IRCA Certified FSSC 22000 Lead Auditor Training CourseRead More
Limerick-founded SME Kelmac Group collaborates with Lero on a €280,000 R&D Project
Limerick-founded SME Kelmac Group collaborates with Lero on a €280,000 R&D project to transform it into global internet player– Kelmac Group® to double Irish workforce and open international R&D technology centre at Plassey Technological Park, Limerick Limerick, Wednesday, 8th February, 2017: Kelmac Group®, a Limerick based standards and compliance company, is collaborating with Lero, the Irish … Continue reading Limerick-founded SME Kelmac Group collaborates with Lero on a €280,000 R&D ProjectRead More
ISO 14001 – Your Organization, Your Environment
ISO 14001 is the world most popular environmental management system standard. As of 2013 it is currently implemented by 301,647 organisations worldwide, so it must obviously work and its voluntary! Environmental management is all about how a company interacts with the environment and how it manages that interaction. It’s where the company figures out how it interacts with the environment and decides how best to control and manage its products, services and activities that affect the environment. In simple terms, ISO 14001:2004 is about putting a structured management approach in place that lets you identify your interactions (aspects and impacts), figure out which ones need to be managed closely (significant aspects),…Read More