ISO 27001 Certification Consulting

What is ISO 27001 Certification?

ISO 27001 belongs to the ISO 27000 series family of standards and is an Information Security Management System (ISMS) standard developed by the International Organization for Standardization (ISO). It is also known as ISO/IEC 27001. The adoption of ISO 27001 by an organization includes implementing a set of formal guidelines per the standard in developing the organization’s information security framework. The standard includes a set of controls that need to be implemented in order to align to the ISMS framework. The standard is unique as it allows an organization to be formally audited against it - this is known as gaining ISO 27001 Certification - and be certified as compliant to it. Once ISO 27001 Certification is obtained, it provides assurance and confidence to the internal management and other interested parties on an organization’s Information Security program.

 

Benefits of ISO 27001 Certification

The benefits of implementing a comprehensive ISO 27001 ISMS framework are manifold for any organization. Not only does it safeguard the information managed by the organization, it instills confidence in top management and interested parties on being in compliance with the industry best practices. Some of the major benefits to the business include:

  • 82% Safeguard your valuable data and intellectual property
  • 82% Help manage business risk
  • 73% Avoid financial penalties and losses due to data breaches
  • 72% Protect and enhance our reputation
  • 73% Build trust internally and externally
  • 56% Comply with business, legal, contractual and regulatory requirements
  • 56% Satisfy audit requirements

 

Two Types of Management Systems - Functional vs. Performance

There are predominantly two types of Information Security Management Systems that can be implemented: Functional-based and Performance-based. There are significant differences between the two types. Functional systems are those that are designed & implemented purely to gain ISO 27001 Certification (and are what we refer to as minimalist systems). Performance systems are those that are fully aligned with the business model of the organization geared towards enhancing the existing competitiveness of the organization.

Kelmac Group specialize in performance-based Information Security Management Systems including ISO 27001 Certification.

What is our ISO 27001 Consulting Process?

Getting ISO 27001 Certification can be challenging. With over 20 years ISO consulting experience working with many organizations & industries, we have developed the Kelmac Group® 9-Step Roadmap to Going Beyond Certification and invite you to select the below icons to learn more about each step and learn about how we can add enormous business value to your processes and how you operate as a business.

Step 1 Foundation

This module focuses on the organization’s top leadership team and planning. The aim is to ensure the Top Leadership team can actively lead, participate and manage the management system from the outset.

This stage includes:

Information Security Organizational Health Assessment

Do you need customized services to assess the information security health of your organization and get a detailed overview of its alignment with the ISO 27001 standard? Apart from our 9-Step approach which includes an in-depth research into the organization’s information security environment, we provide health assessment as a separate service as well to help organization’s get a real-time view of their information security posture. The output is an Information Security Health Assessment Report which provides top management with a view of the gaps identified. Additionally, this also educates top management on the benefits of implementing the ISO 27001 ISMS framework ensure compliance to industry best practices.

Business Case Preparation and Presentation

After we conduct an organization health assessment and based on the gaps noted during that exercise, we can assist management to prepare a business case which will provide a comprehensive overview of the risks identified and how we can assist in implementing ISO 27001 which will help address the risks and issues identified. This will be presented to top management to make them aware of the identified risks and benefits of implementing ISO 27001 to mitigate these risks and continue to maintain robust ISMS catered to their organizational goal and objectives.

 

Step 2 Process/Risk Management

This module focuses on the the organization’s business and management system processes and product/process risk assessments.  The aim is to  build and/or enhance the organization’s process and to identify the related product and process risks, risk mitigation and controls.

Step 3 Objective/Process Alignment

This module focuses on the design of the organization’s internal controls including alignment between goals and process controls. The aim is to ensure the business internal controls meets the needs of the organization.

Step 4 Human Resource System

This module focuses on the design of the organization’s structure, people, culture/behavior, and competency framework. The aim is to ensure the organization structure, culture, behaviors and HR system supports the organization management system.

Step 5 Information Security Health Assessment & Controls

This module focuses on the health assessment and design and development of the organization information Security Controls based upon ISO/IEC 27002.  The aim is to ensure the information security controls protects the organization’s commercially sensitive information assets.

This stage includes:

Information Security Health Assessment/Controls

Successfully completed the ISO/IEC 27001 ISMS Stage 1 Audit but not sure of the adequacy of the controls and their operating effectiveness which will be tested in the Stage II certification audit? We provide end to end services to help an organization implement the necessary information security controls as required by the ISO/IEC 27002 standard. We ensure that the controls within the organization are designed appropriately based on the risks identified and that they are operating effectively which is a requirement for a successful ISO/IEC 27001 certification to be achieved.

Step 6 Document Management System

This module focuses on the design and development of the organization document management system. The aim is to the document management system is effective.

Step 7 Implement The Management System

This module focuses on implementation of the organization management system. The aim is to ensure the management system is flawlessly implemented and expected benefits are fully realized.

Step 8 Check The Management System

This module focuses on verification of the organization management system. The aim is to ensure the organization’s verification system provides stakeholders with the assurance and insight to improve performance, if required.

Step 9 Certification Audit

This module involves coaching/mentoring during the initial certification audit process. The aim is to ensure the initial certification outcome is successful.

How Long Does It Take To Achieve ISO 27001 Certification?

One of the most common questions with this type of project that needs to be answered is ‘how long does it take’. There are various considerations but the main ones include: is there a hard client/contract deadline? Are there available resources to support the project internally? Plus, the exact scope of work required and any potential complexity are key considerations. Many organizations will want to aim for an efficient turnaround but it is common that the amount of work required can be underestimated. The below gives an example of average timelines from start to certification based on the size of the organization – these are guidelines only. Each project varies & in all cases, is based on the client needs.

  • 13

    The average for a small business would be between 6 – 9 months. In general, the shorter the timeline, the higher the intensity of the project. A key consideration is whether there are available resources who can commit to the agreed workload required for the preferred project duration.

    Small Business*

  • 14

    This is the average project duration in the experience of Kelmac Group®. A 9 month project has moderate intensity but generally doesn’t overload a client, particularly where resources who will be involved on the project internally will already have other priorities and responsibilities.

    Medium Business*

  • 15

    This is a conservative project duration for small to medium enterprises but one that is common on larger, more complex projects. Certain projects may even extend up to 18 months.

    Large Business*

*each client project varies, the above are project averages to serve as a guideline only


What Resources Do We Need For An ISO 27001 Certification Project?


Small Business

Each and every business is different and it depends on the availability of resources and whether or not they have the ‘bandwidth’ to meet the internal demands of the project. An average project would involve 2-3 internal resources sharing responsibilities as part of the project.

Medium Enterprise

There are similarities between what challenges resources face whether you are a small, medium or large enterprise. An average project would involve 3-5 internal resources sharing responsibilities as part of the project.

Large Enterprise

This would vary for each enterprise based on the scope of the project and its complexity – including the enterprise’s structure. As an average, we have seen specific steering committees formed including implementation teams of 20+ assigned. The size of the organization, number of locations and complexity would more accurately determine the level of resources involved and would be a key outcome from Step 1 in the Kelmac Group® 9-Step Roadmap.

Our Consulting Service Includes

  • Strategy Development

    Our strategy development can help organizations to develop their information security strategy in alignment with their business objectives and goals. We conduct in-depth research of an organization’s policies, processes and procedures and the vision and mission defined to be achieved in order to help the organization prepare a comprehensive information security strategy.

  • Governance and Risk Compliance

    The core of an organization’s overall information security posture lies in how strong the information security governance and risk compliance function is. Management’s commitment to ensuring a well-controlled, monitored and overarching risk management function within its organization cannot be underestimated. Popular real life stories of huge financial and loss of reputation due to information security breaches and non-compliance with regulatory requirements over the years are known to all. Our governance and risk compliance services focus on aligning the organization’s business model to its information security model enabling top management to set the ‘tone at the top’.

  • Information Security Training

    Gaining an ISO 27001 Certification can be an intimidating task. We provide training on how to develop the documentation required for ISO 27001 at each step of the process and ensure that the training not only helps you understand the requirements and methods but also help you maintain the documents on an ongoing basis. We provide the following ISO 27001 related specific training with our consulting service:

    • ISO/IEC 27001 Executive Awareness
    • How to conduct a PESTLE Analysis
    • Process Management Training
    • Procedure Development Training
    • Risk Management including RTP Methodology Training
    • Document Controller Training
    • Management System Awareness Training
    • Internal Auditor Training
  • Information Security Program Management Support

    We provide both post and pre-implementation support for ISO/IEC 27001 ISMS through our coaching and mentoring services. Whether it be our existing clients or new clients who require additional support to maintain their ISMS in accordance with ISO/IEC 27001. Our coaching and mentoring program ensures that an organization gets certified successfully in the surveillance audits conducted on a yearly basis for 3 years by the ISO Certification Body/Registrar as well as in future ISO/IEC 27001 re-certification audits which is conducted on the 3rd year from the year the organization was certified to be ISO 27001 compliant.

  • Risk Assessment

    Information Security Risks are changing every day in this dynamic work. We provide information security risk assessment services as part of our service for the implementation of an ISO 27001-based ISMS. Additionally, we also assess the current risks and threats that our client organization faces and the remediation actions it needs to take to control or eliminate the risk. We ensure that an organization is aware and up to date in its risk analysis and risk treatment on a dynamic basis.

  • Information Security Analytics

    Having challenges with measuring and monitoring the effectiveness of your organization’s ISMS? We assist you to implement a comprehensive security analytics system within your organization that enables top management to tangibly measure and monitor the information security compliance posture within the organization. Once implemented, we provide training on what to monitor and the critical metrics to review on an ongoing basis to ensure your ISMS is functioning as intended.

  • Fortune 500 Food and Beverage Company

    We worked in partnership with the Food and Beverage company [FBO] team and employed a number of initiatives to improve the firm’s competitiveness, operational controls and operational efficiency.

  • Zevas Communications

    Kelmac Group assisted Zevas with the adoption of a consistent and best practice approach via their information security controls and practices within a relatively young organization. This will help Zevas Communications provide a competitive, innovative and cost effective level of customer contact and communication service to their clients.

  • LuLu International Exchange

    Kelmac Group helped LuLu International Exchange achieve a positive business change as the organization transitioned from a business funded organization to a sustainable and profitable organization. The project also included the successful achievement of ISO 9001:2015 Certification.       

  • Fortune 500 Food and Beverage Company Case Study

    Learn about how ISO can improve a firm’s competitiveness, operational controls and operational efficiency through process excellence.

  • Zevas Communications Case Study

    Learn about how ISO 27001 Certification will help Zevas Communications provide a competitive, innovative and cost effective level of customer contact and communication service to their clients.

  • LuLu International Exchange Case Study

    Learn about how this organization transitioned from a business funded organization to a sustainable and profitable organization including the successful achievement of ISO 9001:2015 Certification.

  • Fortune 500 Food and Beverage Company Case Study

    Learn about how ISO can improve a firm’s competitiveness, operational controls and operational efficiency through process excellence.

  • Zevas Communications Case Study

    Learn about how ISO 27001 Certification will help Zevas Communications provide a competitive, innovative and cost effective level of customer contact and communication service to their clients.

  • LuLu International Exchange Case Study

    Learn about how this organization transitioned from a business funded organization to a sustainable and profitable organization including the successful achievement of ISO 9001:2015 Certification.

Request a Call Back

Our team is here to help,
call us on 1.312.496.6607

See What The Kelmac Group® Can Do For You Get in touch with us today!

Would you like us to call you back to discuss it?

Blog Posts

  • gk-chicago

    IRCA Certified FSSC 22000 Lead Auditor Training Course

    Another successful IRCA Certified FSSC 22000 Lead Auditor Training Course took place last week in Chicago and Kelmac Group® would like to take this time to thank all who attended and helped make it such a success. We hope you had as much fun with the learning experience as we did delivering it. The IRCA … Continue reading IRCA Certified FSSC 22000 Lead Auditor Training Course

    Read More
  • kelmac group, lero, r&d

    Limerick-founded SME Kelmac Group collaborates with Lero on a €280,000 R&D Project

    Limerick-founded SME Kelmac Group collaborates with Lero on a €280,000 R&D project to transform it into global internet player–       Kelmac Group® to double Irish workforce and open international R&D technology centre at Plassey Technological Park, Limerick Limerick, Wednesday, 8th February, 2017: Kelmac Group®, a Limerick based standards and compliance company, is collaborating with Lero, the Irish … Continue reading Limerick-founded SME Kelmac Group collaborates with Lero on a €280,000 R&D Project

    Read More
  • ISO 14001 and Environmental Management

    ISO 14001 – Your Organization, Your Environment

    ISO 14001 is the world most popular environmental management system standard. As of 2013 it is currently implemented by 301,647 [1]organisations worldwide, so it must obviously work and its voluntary! Environmental management is all about how a company interacts with the environment and how it manages that interaction. It’s where the company figures out how it interacts with the environment and decides how best to control and manage its products, services and activities that affect the environment. In simple terms, ISO 14001:2004 is about putting a structured management approach in place that lets you identify your interactions (aspects and impacts), figure out which ones need to be managed closely (significant aspects),…

    Read More
  • Lets Connect

    Questions? Call us on (312) 496 6607



  • Download Corporate Brochure

    Download Corporate Brochure

Would you like to Schedule a FREE Consultation?