ISO 27001

It is very important in terms of the operation process whether your organization is ready for ISO 27001 certification or not, or subsequently your ISMS will work stably when integrated. Under the supervision of ISO 27001 which is performed by UITSEC consultants it is aimed that your organization work in the most efficient way by giving priority to the process and work cycle of an adequate and proportionate security designing and it is planned to perform ISO 27001 certification effort in the best and fastest way.

ISO 27001 Turnkey Project Service Steps

Process within the scope of Turnkey Project Consultancy: All processes (risk analysis, documentation, gap analysis, management of the operation, internal audit, inspection, improvement, external audit, certification) including the application for certification are carried out by UITSEC.

  1. Investigation of the processes
  2. Training
  3. Project Management
  4. Risk Methodology
  5. Risk Analysis
  6. Asset Inventory
  7. Reporting
  8. Risk Processing Management
  9. Document Control
  10. Preparation of Documentation
  11. Preparation of the Necessary Processes
  12. Gap Analysis
  13. Teaching of ISO 27001 operation
  14. Determination of Records
  15. Internal Audit
  16. Control
  17. External Audit/ Invitation of the Accredited Organization.
  18. Certification

Project Implementation Steps:

  1. Preparation of the project file
  2. Receiving management support
  3. Defining the scope
  4. Writing the ISMS policy
  5. Identification of the risk assessment methodology
  6. Implementation of risk assessment and risk management
  7. Writing the applicability statement
  8. Implementation of the control and mandatory procedures
  9. Implementation of education and awareness programs
  10. Managing ISMS
  11. Monitoring the ISMS
  12. Internal audit
  13. Review by the management
  14. Corrective and preventive actions

Project Documents which will be in ISMS Implementation       

  • ISMS Implementation and Certification Process Flow Chart
  • PDCA activities and Flow Chart showing the documents
  • Presentation of ISMS Implementation and Certification Process
  • ISMS Scope Definitions
  • ISMS Applicability Table
  • Expression of Gap Analysis with ISMS and controls
  • Presentation of the gap analysis reports
  • ISMS Implementation Proposal – Sample Operations (Case Study)
  • ISMS Implementation Plan
  • Risk Treatment Plan
  • Applicability (SOA) Table (Sample)
  • Information Security Forum approvals / minutes / initiatives
  • Risk Assessment Methodology / Approach / Risk Management Strategy
  • Preparation of ISMS Organization and Chart
  • Preparation of FAQ (online) Applications of ISMS
  • Information security glossary (online)
  • ISMS Implementation, Guidance and Measurements (compliance with ISO/IEC 27002)
  • Information Security Metrics
  • Information security awareness and concept presentation
  • Determination of road and documentation maps

ISMS and Information Security Policies to be Prepared within the Scope of ISO 27001

  • General inclusive ISMS policies
  • Access control policies
  • Business continuity policies
  • Change management and control policies
  • Clean table and clean screen policies
  • Data archiving and backup policies
  • Destruction of Information / Media / Equipment policies
  • E-commerce security policies
  • E-mail Security / Acceptable Usage Policies
  • Data Classification Policies
  • Information Security Risk Assessment Policies
  • Notebook PC Security Policies
  • Malware Software Policies
  • Portable / Mobile Computer Policies
  • Outsourcing Security Policies
  • Password Policies
  • Penetration Testing Principles and Policies
  • Personnel Security Policies
  • Physical Security Policies
  • Privacy Policies
  • Software Copyright Policies
  • Mail Security and Spam Policies
  • System / Data Backup and Recovery Policies
  • System Usage Monitoring Policies

Basic Technical Safety Standards to be Prepared within the Scope of ISO 27001

  • Application servers
  • Databases
  • DCS (Distributed Control Systems) and SCADA (Supervisory Control And Data Acquisition)
  • Desktop Computers / Workstations / Laptops / Portables, PDA’s
  • Development and test systems
  • DMZ (systems and devices in the Internet space which are installed in de-militarized zone)
  • Key devices such as firewall, router, switch, load balancer and etc.
  • Main computers
  • Networks, wired and wireless (LAN and WAN, Wi-Fi, etc.), remote network access
  • Operating systems
  • Physical and environmental protection
  • Phones including PBX, VoIP and mobile phones, fax, video conferencing and etc.
  • Third-party systems

Procedures and Guidelines Regarding Information Security

  • Conformity assessment and auditing procedures
  • Data Backup and Restoration Procedure
  • Data Archiving Procedure
  • Digital Forensics Procedure
  • FMEA (Failure Mode and Effects Analysis) Risk Analysis Spreadsheet Procedures
  • Information Asset Valuation Guide
  • Information Asset Valuation Matrixes
  • Information Security Awareness Materials
  • Information Security Risk Analysis Spreadsheet
  • Log Management and Inspection Procedure
  • Logical Access Rights Inspection and Maintenance Procedure
  • Network Security Procedures
  • Personnel Asset Valuation Guide
  • Physical Asset Valuation Guide
  • Security Administration Procedures
  • Security Incident Reporting Procedures
  • Security Patch and Technical Vulnerability Management Procedure
  • Secure System Cycle Procedures
  • Security Testing Procedures

Management System Procedures and Guidelines

  • Corrective Action Procedure
  • Corrective / Preventive Action Form
  • Document and Records Control Procedure
  • Exemptions Procedure
  • ISMS Audit Guide and Reporting Template
  • ISMS Internal Audit Procedure
  • Preventive Action Procedure

Job Descriptions Regarding Information Security

  • Emergency Planning and Disaster Recovery roles and responsibilities
  • The roles and responsibilities of general employees
  • Implementing Rules and Acceptable Usage Policy
  • Employee Handbook
  • Overall responsibility for the operation of the ISMS
  • Information Security Analyst Job Description
  • Information Security Architect Job Description
  • Information Security Officer Job Description
  • Information Security Test Job Description
  • ISMS and / or IT Auditor Job Description
  • Security Manager Job Description
  • Third Parties’ Job Description

ISMS Operational Outcomes

  • Business Continuity Plan (business continuity oriented) and Test / Practice Reports
  • Business Impact Assessment Checklist and Reports
  • Data Restoration Form
  • Disaster Recovery Plan (IT service restoration-oriented) and Disaster Recovery Reports
  • Information Security Incident Report Forms and Reports
  • Solution Design and Architecture List (software development)
  • Threat and Vulnerability Checklists / Surveys and Reports

ISMS Records

  • Backup and Archival Record
  • Business Continuity Plan Record
  • Information Asset Inventory
  • Information Security Risk Record
  • Information Security Event Log Table
  • Privileges / Administrator Access and Authorization List
  • Software License Records
  • Standard Desktop Software List
  • System Patch and Antivirus Status Record
  • Third Party Access Records