ISO 27001

Establish an effective best practice data security management system

ISO 27001 is a widely used framework to help businesses to protect their information through the adoption of an Information Security Management System (ISMS). The basic goal of ISO 27001 is to protect the confidentiality, integrity and availability of information.

Applying the standards of ISO 27001 enables businesses to manage the security of assets such as financial information, intellectual property, employee details and information delegated by third parties.

Protect your reputation and customer expectations

The cyber threat landscape is increasing, and with it, the impact it can have on your business’s reputation and customers is also growing. Not only does the standard provide your company with the necessary know-how to safeguard your most valuable information, it also provides your customers and partners with the assurance that their data is safe.

As part of the certification process, qualified auditors seek and evaluate your business's security controls to address risk and mitigate security breaches. Including your technical, organisational, legal, physical and human resource security controls. The audit report will evaluate what you’re doing right and, most importantly, what needs improving.

We will help map out goals and objectives in an actionable approach to define data security responsibility across your teams.

As a certified ISO 27001 business, your ISMS is aligned with information security best practice.

FAQs

  • Where should a business start when looking to become ISO 27001 certified?

    Performing a GAP assessment exercise is the best place to start. This will allow your business to document your current state and the maturity towards ISO 27001. It will also help to roadmap the efforts and costs required to align with ISO 27001 and build the business use case for it.

  • What differentiates the ISO 27001 certification from PCI-DSS and HIPAA?

    There are many compliance standards that organisations are required to comply with or use as a best practice, but they’re not all the same.

    In addition, different sets of standards apply to businesses in various industries and not necessarily across the board. Four of the most frequently confused standards sets are ISO 27001, HIPAA, SOC and PCI-DSS. Organisations are often confused and wondering, are they the same thing? Are these standards/guidelines even similar? Do they all apply to your organisation? We will try to explain this in brief:

    HIPPA Compliance: One thing to remember, HIPAA only applies to businesses in the US, as it is a set of US federal guidelines.

    Health Insurance Portability and Accountability Act (HIPAA), pertains only to businesses that deal with patient health information. This goes beyond hospitals, medical clinics, and physician offices, including Insurance companies, medical clearinghouses and other businesses and their business associates that deal with medical data are bound by HIPAA and HITECH. HIPAA focuses more on the overall handling of patient medical information. The HITECH Act provides the rules for handling EMR (electronic medical records) and IT security within medical or health care organisations. It is important to note that some organisations (worldwide) use security controls in HIPPA as best practices for the security of health information.

    PCI-DSS: PCI-DSS is a set of guidelines governed by the payment card industry and applies to businesses that work with consumer credit card information. The standards apply to organisations compliance with these rules, and is mandatory for any business that holds, stores, analyses or otherwise uses cardholder information. PCI compliance requires strict adherence to the standards within the organisation in question, but it also applies to the business's IT infrastructure, including the company’s servers (in-house or outsourced to another data centre), website, shopping cart and more. The entire focus is on protecting consumer cardholder information.

  • What differentiates the ISO27001 certification from SOC?

    Before we discuss System and Organisation Controls (SOC), it's important to note that a crucial difference between the two is that ISO 27001 is a certification and SOC is not.

    SOC is a compliance report issued by a third party to assess against the AICPA’s trust service criteria. Think of AICPA as an organisation like ISO and trust service criteria as clauses in ISO 27001 standard.

    SOC has several types of reports (SOC 1, SOC 2, SOC 3). To understand these reports, we need to remember the following:

    SOC 1 – this report looks at service organisation’s internal controls over financial reporting systems.

    SOC 2 – this report focuses on controls at a service organisation relevant to security, availability, processing integrity, confidentiality or privacy.

    SOC 3 – this report is a summary of the overall SOC 2 report and is issued when organisations do not want to disclose the entire SOC 2 report.

  • Why is it important that The Missing Link is ISO 270001 certified?

    As one of Australia's leading and fastest-growing cyber security companies, we continually improve our internal security controls. When you grow as an organisation, it doesn't take long before there is confusion about who is responsible for which information assets.
     
    ISO/IEC 27001 helped us to address this challenge. Additionally, working with diversified customers and industries, we often find ourselves as a business needing to provide different types of attestation and assurances. ISO/IEC 27001 acted like the “cornerstone” and allowed us to build a strong foundation, and we can leverage it to give our customers a sense of our internal process and services maturity. ISO 27001 maps well with other management systems like NIST, ISM, CSP, and VPDSS to prove our information security management system compliance.
     
    Additionally, ISO 27001 mandates that we undertake regular reviews and internal audits of the ISMS to ensure its continual improvement. External auditors review our ISMS maturity annually to establish whether the controls are working as intended. This independent audit provides an expert opinion of whether the ISMS is functioning properly and provides the level of security needed to protect our business, services, and our customers information. It improves customer confidence through its demonstration of our commitment to cyber security and compliance with legality.
     
    We also have operations in the UK, so having the ISO 27001 certification guarantees our global clients that we manage data securely.

Perfect Partner Experience

Since engaging The Missing Link, we’ve worked on some significant projects, including security audits, maturity assessments and penetration testing exercises. The Missing Link is very proactive when it comes to identifying, analysing and alerting us to any threats. Importantly, I get to benefit from the most current advice on best practice across a number of industries. To help us in our security journey, we needed flexibility, attention to detail and a willingness to provide a bespoke solution to meet our needs and they’ve delivered every time on these fronts. Even with quick turnarounds they are always accommodating our needs, and helping us achieve our desired results. By leveraging their expertise, it helps us in our decision-making and I truly see them as an extension of our team. 

Carl Rowley | Cyber Security Manager, ENGIE