ISO/IEC 27001 Information Security Management System Standard is one of the largest standards created by ISO. Businesses need to meet the requirements of the ISO/IEC 27001 standard in order to prevent all vulnerabilities that may affect the confidentiality, integrity and accessibility of their information.
The ISO/IEC 27001 standard is the standard used in the certification processes detailing the basic information security rules of the ISO/IEC 27000 family. For example; Sectoral standards in the ISO/IEC 27000 family; ISO/IEC 27019 (Energy industry-specific), ISO/IEC 27018 (Cloud Computing industry-specific), ISO/IEC 27799 (Health industry-specific) etc. other standards are also available. During the certification audits phase, the certification audit of the ISO/IEC 27001 standard is carried out taking into account the requirements of the sectoral standards.
Thanks to its expert staff, UITSEC accurately analyzes sectoral needs and keeps the efficiency of information security studies at a high level and provides maximum contribution to businesses. In compliance studies; current legislation, solution offers and technological developments are taken into consideration. Information security assets affecting the existing processes of the enterprises are identified and the risks affecting the confidentiality, integrity and accessibility of the processes are analyzed.
It strives to keep the level of awareness at the highest level by providing employees with trainings with appropriate samples for the activity of the business.
The UITSEC expert staff keeps up-to-date the procedures related to the processes of the business for the smooth and fastest execution of ISO/IEC 27001 certification works. It analyzes the compliance with the standard of the existing works that the enterprise has continued to implement before the ISO/IEC 27001 study. It directs the business for inappropriate work and works to take necessary actions.
Benefits of ISO/IEC 27001 Standard for Businesses
- • It ensures the confidentiality, integrity and accessibility of information that is important to businesses.
- • Since it is the largest standard within the scope of information security accepted all over the world, the level of information security of enterprises is high thanks to periodic audits.
- • It minimizes the risks of businesses and maximizes business continuity.
- • It identifies your weaknesses and determines the work steps you need to take.
- • It ensures customer reputation and meets their requirements in the best way.
- • It supports the business processes in the business to be dynamic and continuous.
- • Compliance with the standards of the enterprise is ensured by fulfilling the legal requirements.
- • Thanks to the established system, customers are one step ahead of their competitors in their evaluations.
Service Steps for ISO/IEC 27001 Project
Within the scope of the ISO/IEC 27001 project, UITSEC provides maximum support to the business at all stages, including the application for certification.
Main ISO/IEC 27001 working steps;
- • Providing leadership and organization
- • Performing scope analysis
- • Analyzing assets
- • Establishment of risk methodology
- • Performing risk analyzes
- • Taking risk processing actions
- • Carrying out corrective actions
- • Giving trainings
- • Establishment of policy, procedures and supporting documents
- • Determination of technical analysis
- • Determining performance monitoring criteria and taking action
- • Providing business continuity support
- • Preparation of the declaration of applicability by stating the justification
- • Performing internal audits
- • Realization of reports
- • Execution of external audit processes
- • Execution of post-audit support processes
- • Obtaining the certificate by accredited institutions
Information Security Policies to be Prepared under ISO/IEC 27001
Specific information security policies can be prepared in accordance with the sector or processes in which the institution operates. Non-specific main documents;
- • General Information Security Policies
- • Acceptable Use Policies
- • Password Policies
- • E-Mail Security Policies
- • Internet Usage Policies
- • Clean Desk Clear Screen Policies
- • Physical Security Policies
- • Access Control Policies
- • Business Continuity Policies
- • Change Management and Control Policies
- • Clean Desk and Clear Screen Policies
- • Data Archiving and Backup Policies
- • Information Destruction/Media/Equipment Policies
- • Usage Policies of Assets
- • Portable/Mobile Device Usage Policies
- • Malware Policies
- • Personnel Security Policies
- • Privacy Policies
- • Software Development and Management Policies
- • Data Backup and Recovery Policies
- • Server Security Policies
- • Network Management Policies
- • Remote Connection/VPN Management Policies
- • Management Policies of Suppliers/3rd Party Users
- • Change Management Policies
- • Authentication and Authorization Policies
- • Visitor Acceptance Policies
- • Management Policies of Violation Incidents
Information Security Procedures and Documents
In compliance studies, some procedures and documents that businesses may need are prepared.
Procedures;
- • Documents Management Procedure
- • Corrective and Remedial Action Procedure
- • Management Review Procedure
- • Internal Audit Procedure
- • Human Resources Procedure
- • Training Procedure
- • Asset Management Procedure
- • Risk Management Procedure
- • Maintenance Procedures
- • Business Continuity Procedure
- • Access Control Procedures
- • Network Devices Management Procedure
- • Data Backup Procedure
- • Log Management Procedure
- • Software Development Procedure
- • Physical Security Procedure
- • Incident Violations Management Procedure
- • Change Management Procedure
- • Supplier and Third Party Management Procedure
- • System Security Procedures
Forms and Other Documents;
- • Job Descriptions
- • Organization chart
- • Outsourced Document Forms
- • Corrective and Remedial Action Forms
- • Target and Performance Forms
- • Internal Audit Plan and Forms
- • Human Resources Forms and Documents
- • Asset Inventory Lists
- • Information Classification Documents
- • Risk Analysis Forms
- • Maintenance and Test Forms
- • Penetration Test Reports
- • Backup Lists and Archive Records Forms
- • Monitoring, Measurement, Analysis and Evaluation Forms
- • Supplier Evaluation Forms
- • Access Control Lists
- • Contact Lists
- • Statement of Applicability (SOA)
- • Incident Violation Forms
Business Continuity Plans and Business Impact Analysis