ISO 27001 Implementation & Certification (ISMS)

What is the purpose of ISO 27001?

ISO 27001 was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).

Why is ISO 27001 important?

Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.

Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers.

Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.

What is an ISMS?

An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:

identify stakeholders and their expectations of the company in terms of information security
identify which risks exist for the information
define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
set clear objectives on what needs to be achieved with information security
implement all the controls and other risk treatment methods
continuously measure if the implemented controls perform as expected
make continuous improvement to make the whole ISMS work better

Why do we need ISMS?

There are four essential business benefits that a company can achieve with the implementation of this information security standard:

Comply with legal requirements – there is an ever-increasing number of laws, regulations, and contractual requirements related to information security, and the good news is that most of them can be resolved by implementing ISO 27001 – this standard gives you the perfect methodology to comply with them all.

Achieve competitive advantage – if your company gets certified and your competitors do not, you may have an advantage over them in the eyes of those customers who are sensitive about keeping their information safe.

Lower costs – the main philosophy of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.

Better organization – typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, very often the employees do not know what needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security-related), enabling them to reduce lost time by their employees.

Funding Availability

Up to 80% Funding available for consultancy service fees & certification fees.

Being Certified Project Management Consultants, we are recognized by Enterprise Singapore fund up to 80% of the project cost through the EDG programme if you engage us now!

Click Here for more information on the grant support.

Our Flow Of Work

ISMS Scope Determination & Optimization

Scope determination is critical to a successful ISO-27001 certification effort. The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.

Risk Assessment

Risk Assessment/Management is fundamental to an ISMS. This “information and the processes that act on it” approach yields a much more intuitive process that drives far greater value, in less time

Risk Treatment Plan Development

The risk treatment plan defines the controls required, including the necessary extent and rigor, to treat (mitigate) risk to a level that is deemed acceptable by management. It is a fundamental ISMS artifact and forms the basis/standard for the gap assessment.

ISMS Gap Assessment

Understanding the gap between the current and desired state of the Information Security Management System (e.g., ISO-27001) is a key input into a “Prioritized Roadmap” (Gap Remediation Plan).

Security Controls Gap Assessment

Understanding the gap between the current and desired state of the control practices is a key input into a “Prioritized Roadmap” (Gap Remediation Plan). ISO-27002 Gap Assessments are widely used outside of ISO-27001 certification efforts as a “best security practices” gap assessment and can also be used to serve as a form of design/operational attestation.

Gap Remediation Facilitation/Support

Ideally, gap remediation will be largely accomplished by the internal team, rather than a third party (like Pivot Point Security). An internally focused approach leveraging a third party for SME on demand, templates and artifact validation, maximizes the development of organizational knowledge/expertise, ensures that key personnel are “stakeholders” in the resultant control environment and prevents an organization from being overly reliant on a third party to operate the ISMS post certification.

Security Metrics

Security metrics are critical to the optimal operation of an ISMS, as they are integral to demonstrating the continuous improvement principles that are inherent in most ISMSs. This service is focused on simplifying the process of measuring, reporting and hence systematically improving ISMS effectiveness.

Policy, Standards, & Procedure (PSP) Support

PSPs form the backbone of any ISMS. Remarkably, although PSPs are the most basic elements of an ISMS, they are also one of the most complex to implement effectively. This is largely due to the comprehensive and inter-dependent nature of PSPs. Key decision points to consider before embarking on a PSP effort:

Structure: Ideally Policies, Standards & Procedures are segregated, which simplifies ongoing administration and version management. However, most organizations combine them, which yields complexity where a particular procedure is integral to multiple Standards and/or procedures.
Presentation: Most organizations leverage a linear document format for PSPs, which does a poor job of communicating their hierarchical nature and interdependencies. Increasingly, Wikis, SharePoints, and/or dedicated ISMS management systems are being leveraged to address this challenge.
Audience: PSPs often have multiple audiences (e.g., employees, IT personnel, contractors, consultants, management). Audience, structure and presentation are highly inter-related and are critical to ensuring that PSPs are understood and followed. If the desired audience can’t EASILY find all of the information relevant to a particular issue they are attempting to address, a non-conformity is almost certain to occur.
Business: The company’s size, risk/risk tolerance, internal expertise, resource availability, budget and current PSP maturity level significantly impacts the effort.
External: The regulations and external business contexts can notably impact the effort.
Version Control: It is critical that mechanisms to ensure that all necessary approvals for changes are auditable, version histories are retained and only current versions are readily accessible.

ISMS Internal Audit

Integral to the PDCA model of most ISMSs is a requirement to conduct an internal audit to determine whether the control objectives, controls, processes and procedures of its ISMS:

Conform to the requirements of ISO-27001 and relevant legislation or regulations;
Conform to identified information security requirements;
Are effectively implemented and maintained; and
Perform as expected.

What are the requirements for ISO 27001?

The mandatory requirements for ISO 27001 are defined in its clauses 4 through 10 – this means that all those requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.

The requirements from sections 4 through 10 can be summarized as follows:

Clause 4: Context of the organization – defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.

Clause 5: Leadership – defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy.

Clause 6: Planning – defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.

Clause 7: Support – defines requirements for availability of resources, competencies, awareness, communication, and control of documents and records.

Clause 8: Operation – defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.

Clause 9: Performance evaluation – defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.

Clause 10: Improvement – defines requirements for nonconformities, corrections, corrective actions, and continual improvement.

ISO 27001 mandatory documents

ISO 27001 specifies a minimum set of policies, procedures, plans, records, and other documented information that are needed to become compliant.

ISO 27001 requires the following documents to be written:

Scope of the ISMS (clause 4.3)
Information Security Policy and Objectives (clauses 5.2 and 6.2)
Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
Statement of Applicability (clause 6.1.3 d)
Risk Treatment Plan (clauses 6.1.3 e and 6.2)
Risk Assessment Report (clause 8.2)
Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
Inventory of Assets (control A.8.1.1)
Acceptable Use of Assets (control A.8.1.3)
Access Control Policy (control A.9.1.1)
Operating Procedures for IT Management (control A.12.1.1)
Secure System Engineering Principles (control A.14.2.5)
Supplier Security Policy (control A.15.1.1)
Incident Management Procedure (control A.16.1.5)
Business Continuity Procedures (control A.17.1.2)
Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)

And these are the mandatory records:

Records of training, skills, experience and qualifications (clause 7.2)
Monitoring and measurement results (clause 9.1)
Internal Audit Program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)

What are the 14 domains of ISO 27001?

There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following:

A.5. Information security policies: The controls in this section describe how to handle information security policies.

A.6. Organization of information security: The controls in this section provide the basic framework for the implementation and operation of information security by defining its internal organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of information security, like project management, use of mobile devices, and teleworking.

A.7. Human resource security: The controls in this section ensure that people who are under the organization’s control are hired, trained, and managed in a secure way; also, the principles of disciplinary action and terminating the agreements are addressed.

A.8. Asset management: The controls in this section ensure that information security assets (e.g., information, processing devices, storage devices, etc.) are identified, that responsibilities for their security are designated, and that people know how to handle them according to predefined classification levels.

A.9. Access control: The controls in this section limit access to information and information assets according to real business needs. The controls are for both physical and logical access.

A.10. Cryptography: The controls in this section provide the basis for proper use of encryption solutions to protect the confidentiality, authenticity, and/or integrity of information.

A.11. Physical and environmental security: The controls in this section prevent unauthorized access to physical areas, and protect equipment and facilities from being compromised by human or natural intervention.

A.12. Operations security: The controls in this section ensure that the IT systems, including operating systems and software, are secure and protected against data loss. Additionally, controls in this section require the means to record events and generate evidence, periodic verification of vulnerabilities, and make precautions to prevent audit activities from affecting operations.

A.13. Communications security: The controls in this section protect the network infrastructure and services, as well as the information that travels through them.

A.14. System acquisition, development and maintenance: The controls in this section ensure that information security is taken into account when purchasing new information systems or upgrading the existing ones.

A.15. Supplier relationships: The controls in this section ensure that outsourced activities performed by suppliers and partners also use appropriate information security controls, and they describe how to monitor third-party security performance.

A.16. Information security incident management: The controls in this section provide a framework to ensure the proper communication and handling of security events and incidents, so that they can be resolved in a timely manner; they also define how to preserve evidence, as well as how to learn from incidents to prevent their recurrence.

A.17. Information security aspects of business continuity management: The controls in this section ensure the continuity of information security management during disruptions, and the availability of information systems.

A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory, regulatory, and contractual breaches, and audit whether information security is implemented and is effective according to the defined policies, procedures, and requirements of the ISO 27001 standard.

A closer look at these domains shows us that managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.), but also about managing processes, legal protection, managing human resources, physical protection, etc.

Sage Shield Safety Consultants Pte Ltd

5.0

Based on 203 reviews

review us on

Sean

09:10 10 Nov 21

Exceptional service and professionalism. Mr Thong is responsive and is able to convey any information or clarifications... succinctly. I am incredibly pleased with how he assisted me in my company's certification needs.read more

Chen Cen

02:26 11 Dec 20

We were looking for bizSAFE Star vendor to help us renew our bizSAFE3 status. They are very efficient, friendly and... helpful, within two or three days we have finished our risk management implementation & scheduled audit. Finally we got the certification. Highly recommend!read more

Ganhy1994

11:05 03 Dec 20

Got to know Sage Shield from my manager whom previously worked with Mr Thong their consultant. I need to submit tender... for project and required a bizSAFE4 certification. I called him up and got instant reply and quotation just in a blink. He further managed and planned for me the schedules and supported our audit through. I will personally recommend Sage Shield Safety Consultants to help you get your ISO or bizSAFE certificationsread more

Lim Mui Lian

02:27 26 Nov 20

I was looking for someone to help out with our bizsafe 4 certification and chance upon Mr Thong. He explain to me over... the phone and zoom session with my boss. We quickly understand the requirement and trust him that he could deliver the service. I was totally right and he has done it professionally which I will highly recommend to fellow business ownersread more

Ruddy Y

05:55 23 Nov 20

Sage Shield is run by a team of professionals who are helpful and very efficient. Thank you for the smooth process and... application for our Biizsafe3 certification. Look forward to working closely again!read more

Jeff Goh

02:10 18 Nov 20

Great bizsafe service, I was looking high and low for someone responsive and finally I found sage shield who responses... to me within like 10min and settle all my schedules and advice me on my work activities for my risk assessment. I probably wouldn't think that I could achieve my certification for my company without sage shield. Will look forward in taking iso system from them too .read more

Cheing Cheng Yew

02:29 13 Nov 20

Made everything so easy. Very friendly and helpful. No hassle.

Tan Kok wei

02:17 21 Oct 20

Great bizsafe consulting services. Very meticulous and friendly consultant. Advised me on smm procedures and risk... assessment matters. Highly recommended for business ownersread more

Weiyao Lu

06:50 20 Oct 20

Prompt, objective and effective. Need a consultant, they are the true deal.Highly recommended!

Humphrey Soh

06:58 05 Oct 20

Good implementation work and guidance on risk assessment evaluation. Bizsafe 3 explanation is awesome. Highly... recommended for SME owners. Down to earth consultants that understand the needs of businessread more

Eng Soon Cheng

02:30 02 Oct 20

Great service for the bizsafe 3 renewal , our status are almost expiring and we do not know who to find. Then we chance... upon sage shield safety consultants pte Ltd and their reply is almost instant and we managed to renew our status in time. Highly recommendedread more

SP Lee

06:02 30 Sep 20

Great bizsafe 3 experience from sage shieldConsultant take time to understand the whole work flow of the work... activities and advice accordingly on the risk management. Highly recommendedread more

wein ang

02:30 22 Sep 20

Great bizsafe consultation , the risk assessment and safe work procedure is well done and effective.Thumbs up and will... recommend more friends and business partner to Sage Shield for their good servicesread more

Shawn Koh

08:10 16 Sep 20

Very good and professional bizsafe 3 service. The implementation is smooth, consultant is friendly and knowledgeable.... Will look more into the iso system in future. Thumbs upread more

Gary Chong

03:59 11 Sep 20

Impressive Instruction on risk management implementation. Bizsafe 3 renewal at a breeze.Safety Consultant also did a... complimentary site inspection on site which is very valuable for the site team. Highly recommended to all.read more

Irene Tan

03:22 07 Sep 20

Good service , bizsafe 3 consultation is smooth and professional. Highly recommended

Marco Wong

04:04 04 Sep 20

Detail explanation and advise from Safety Consultant.

Chan Coreen

08:01 26 Aug 20

Very professional and efficient service provided by Sage Shield and Mr Thong, our consultant is impressive in his work... and provides great advise to us in achieving the bizsafe certificate. We highly recommend them for their excellent service.read more

boon lai Wam

05:10 29 Jul 20

Very professional service. Consultancy for bizSAFE 3 is such good experience, Will definitely recommend Sage Shield to... everyoneread more

ZhaoJie Low

04:00 16 Jul 20

Very professional service and in deep risk assessment. Hassle free on the Bizsafe service , will look forward in taking... iso business management system with sage shield safety consultants Pte Ltd thumbs upread more

JENNY ANG

08:07 10 Jul 20

Good services on bizsafe implementation and very professional company . Especially the safety Consultant, Mr Thong who... assisted us a lot. Very fast respond and efficient service. Well planning and friendly . Highly recommended.read more

Joey Ng

07:50 08 Jul 20

Great bizsafe service , thumbs up. Risk assessment well done.

Desmond Tan

07:26 29 Jun 20

Safety Consultant, Mr Thong, did a quick risk assessment review for us. I needed a quick turnaround and he delivered as... promised. Impressive work indeed. Furthermore, he was very flexible with his charges and it really helped me to surmount of production issues on the ground. I'm keeping his number in my phone for all bizSAFE implementation issues.read more

jiovian ng

03:05 17 Jun 20

Mr Thong the safety consultant had assisted us for Safe management measures implementation and well done. Very fast... response and efficient service Thank you so much. Highly recommendedread more

Eugene Siew

02:42 02 Jun 20

Very professional and straightforward. Great service and prompt response. Highly recommended.

Vicky Tan

06:28 11 Mar 20

My experience in working with Sage Shield Safety Consultants Pte Ltd was very much a positive one.Mun professionalism... was refreshing and I would welcome the opportunity to thank him.Thank you for making the Level 3 certification process a very pleasant and speedy one.read more

Mun Mun

04:43 02 Nov 17

Comprehensive fire safety management services to assist building/premise owners and operators to fulfill the regulatory... requirement and to meet their corporate emergency preparedness requirementread more

Next Reviews