Information security plays an increasingly central role today within organizations. It goes without saying that the choice of a product or supplier is not made exclusively by evaluating its features. In addition to the quality/price ratio, variables at stake in today’s market also include the security measures provided by the supplier. It is, therefore, necessary to know the state of the art in cybersecurity in order to assess the state of the potential supplier in this regard and make improvements.
The ISO/IEC 27001:2013 standard establishes a system of controls aimed at:
• Maintaining, and
• Improving, according to a continuous cycle methodology (PDCA model), a system of correct information management (including personal data) within an organisation. This cyclical structure is necessary because it is well known that security is not a product, but a constantly evolving process.
As part of this activity, we offer the services of:
• consultancy for the accompaniment of your organisation in certification processes;
• drafting the relevant policies and procedures.
We will then proceed, with your support, with the analysis of the various ISO controls and their verification in the organizational context in order to identify any gaps which will be extensively documented in a detailed activity report, which will also include the relevant recommendations in order to increase the ascertained level of corporate security and achieve compliance with the standard.
More precisely, the scheme of work will be that of Norma:
• Risk identification;
• Analysis and evaluation;
• Selection of control objectives and control activities for risk management;
• Management’s assumption of residual risk;
• Definition of the Statement of Applicability.
Note: drawing on the experience developed by the professionals of ICTLC – ICT Legal Consulting in the field of GDPR legal compliance, our Cybersecurity Advisors are able not only to verify the correct application of ISO/IEC 27001:2013 controls but also to relate them to the correct fulfillment of legal obligations regarding the protection of personal data.