Security Management

Security Management 


Our team create and build information security and privacy management frameworks, policies and processes aligned to major standards and customised to meet your individual requirements.

We can support you at any stage in your management system lifecycle: whether design, implementation, maintenance or review.


Our security management services include:


How can we help?

Our team can help with a full range of ISO 27001 and 27701 services including:

  • Scope definition: Designed for organisations starting out on their compliance journey, a Scope Definition activity helps stakeholders and project managers to understand what systems and processes they should include within the scope of the ISO 27001 Information Security Management System (ISMS)/ ISO 27701Personal Information Management System (PIMS).
  • Gap analysis: A Gap Analysis activity is suitable for organisations that require a detailed understanding of where they are in terms of their ISMS and/or PIMS. It also provides a clear roadmap to certification.
  • Risk assessments: A risk assessment is a key requirement of an ISO 27001/ISO27701 implementation. We can develop a risk management process aligned to the requirements of ISO 27001/ISO27701 and support the carrying out of risk assessment(s) and the creation of Risk Treatment Plan(s).
  • ISMS implementation: The ISMS implementation service is designed specifically to help organisations fill the gaps highlighted in an ISO 27001/ISO27701 Gap Analysis. It will take organisations all the way to their certification audit.
  • Internal audit: An Internal Audit is a requirement of the ISO 27001 and ISO 27701 standards and is suitable for organisations that have an operating ISMS and are either planning to certify or have certified previously. Our team can provide the resources needs for your internal audit –covering some or all the clauses and controls in scope.
  • Training and awareness: We have off-the-shelf and custom developed training and awareness programs to cover all your information security and privacy training and awareness needs.


ISO 27001: Information Security Management System

Implementing an ISMS based on internationally recognised standard ISO 27001 will enable effective information security risk management and improve your overall cyber security posture.


What is ISO 27001?

ISO 27001 is a globally recognised information security standard.

ISO 27001 specifies the requirements for an Information Security Management System (ISMS), to help organisations identify, assess, manage and mitigate the risks associated with managing corporate information. It allows organisations to adopt a risk-based approach to information security that is in line with international best practices.

Achieving ISO 27001 certification demonstrates to your customers and commercial partners that you are truly committed to maintaining the highest standards in information security. Not only does it improve your organisation’s credibility, it can give you a competitive edge over your competition.


ISO 27701: Privacy Information Management System

Implementing a PIMS based on internationally recognised standard ISO 27701 will enable effective privacy risk management, aligned to your information security management system. Adding privacy management to your information security management system will help your organisation comply with privacy and data protection laws including the GDPR and the Australian Privacy Act.

Implementing an ISO 27701 compliant PIMS will also ensure that you have effective data privacy management systems stakeholders can trust. By reducing the potential information security and privacy risks for individuals and your company by using the controls, you create a more trustworthy brand.


What is ISO 27701?

ISO 27701 is a privacy standard, published in August 2019.  ISO 27701 serves as an enhancement to ISO 27001. It specifically gives assurance that your organization complies with generally applicable privacy requirements.

Before you can implement an ISO 27701 PIMS, you must first have the ISO 27001 ISMS in place. The technical and system requirements of a PIMS and an ISMS share significant overlap. The connection between the two makes the implementation of ISO 27001 with ISO 27701 straightforward.

For companies that already possess the certifications for ISO 27001, the process of applying ISO 27701 is relatively straightforward.  ISO 27701 supplements the controls included in ISO 27001 and in addition contains specific requirements for processors and controllers.


Information Security policies and procedures

Policies, procedures, manuals and checklists are an important part of every security and privacy management system.

The Privacy 108 team has developed all the documentation and guidance your organisation needs to put an effective ISMS and PIMS in place and meet the requirements to achieve certification to ISO 27001 and ISO 27701.

As an example, starting with our templates, we can work with you on developing any of the following:

  • Information Security Policy
  • Privacy Policy
  • Data Classification Policy
  • Access Control Policy
  • Privacy Manual
  • Information Security Management System Manual
  • Information Security Risk Management Process
  • IT Security Policy
  • Remote Working Policy
  • Incident response plan
  • Vendor Security and Privacy Checklist
  • Supplier management policy

Our team can also review any existing policy and procedures and update to ensure they meet latest requirements.

Security Management FAQ’s

Can ISO 27001 and ISO 27701 be used by small or medium sized organisations?

The ISO 27001 and ISO 27701 standards are flexible and can be adapted for organisations of all sizes. The scope can be designed to suit your organisation’s specific circumstances and can align with any existing management frameworks you have in place.

What are the benefits of ISO 27001/ISO27701 Certification?

The benefits of having the ISO 27701/ISO 27701certification include:

  • Data privacy compliance: ISO 27701 provides assurance that your company is compliant with privacy   privacy regulations and requirements.
  • Integrity: Your organization can conduct activities as usual with the confidence that you can manage security risks surrounding your invested parties’ information.
  • Cost and time-saving: With ISO27001/ISO 27701 certification, you’ll be able to reply to security and privacy questionnaires, comply with security regulations and assure individuals that you have risk management systems in place.
  • Preparedness: You will help prepare your organization for the further development of privacy and security regulations and requirements

How do you get certified to ISO 27001 and ISO 27701?

To achieve ISO 27001 certification, you’ll need to undergo a series of audits. Here’s what you can expect to prepare for and complete your certification.

Phase one: create a project plan: You need a plan. ISO 27001 and ISO 27701 implementation programs are complex, involve the whole organisation and can be difficult.  You won’t be successful without a plan. It’s also important to educate yourself on the ISO 27001 standards, the key requirement plus the ISO 27002 controls is a key part of this process.

Phase two: scope your ISMS: Unlike other management systems, ISO 27001 gives you the right to define a specific scope for your ISMS – it does not have to cover the whole organisation. For some companies, the scope of their ISMS includes their entire organization. For others, it includes only a specific department or system. You can determine exactly what information assets you need to protect as part of your ISMS.

Phase three: perform a risk assessment and gap analysis: You must complete a risk assessment for both your ISMS and PIMS. It is a requirement of both ISO 27001 and ISO 27701. The risk assessment will help identify controls that you need to implement, as well as ensure you meet one of the fundamental requirements of the standard. You should also do a gap analysis against ISO 27001 (and the security controls listed in ISO 27002) and ISO 27701.

The findings from the gap analysis should be added to the Risk Treatment Plan from the risk assessment and together be part of a remediation plan. The Risk Treatment Plan is another essential document for ISO 27001 certification. It records how your organization will respond to the threats you identified during your risk assessment process.

The remediation plan should include all the actions needed to meet compliance requirements.

Phase four: design and implement policies and controls:  In this phase, you will start implementing the policies and controls identified in your remediation plan, together with the other actions needed to meet the requirements of ISO 27001 and ISO 27701.

You’ll need to produce a Statement of Applicability as part of your audit evidence.

The Statement of Applicability summarizes and explains which ISO 27001 controls and policies are relevant to your organization. This document is one of the first things your external auditor will review during your certification audit.

Phase five: document and collect evidence of system operation: To get ISO 27001 and ISO 27701 certification, you’ll need to prove to your auditor that you’ve established effective policies and controls and that they’re functioning as required by the ISO 27001 standard.

Collecting and organizing all of this evidence can be extremely time-consuming. It’s important that you integrate the collection of required evidence into your system as part of the design.

Phase six: complete an ISO 27001 certification audit  In this phase, an external auditor will evaluate your ISMS to verify that it meets ISO 27001 requirements and issue your certification.

A certification audit happens in two stages. First, the auditor will complete a Stage 1 audit, where they review your ISMS documentation to make sure you have the right policies and procedures in place.

Next, a Stage 2 audit will review your business processes and security controls. Once Stage 1 and Stage 2 audits are complete, you’ll be issued an ISO 27001 certification that’s valid for three years.

Phase seven: maintain continuous compliance  ISO 27001 is all about continuous improvement. You’ll need to keep analysing and reviewing your ISMS to make sure it’s still operating effectively. And as your business evolves and new risks emerge, you’ll need to watch for opportunities to improve existing processes and controls.

The ISO 27001 standard requires periodic internal audits as part of this ongoing monitoring. Internal auditors examine processes and policies to look for potential weaknesses and areas of improvement before an external audit.

Who are Privacy 108?

Privacy108 is owned and led by one of Australia’s leading security and privacy professionals, Dr Jodie Siganto. The Privacy108 team includes lawyers, consultants and trainers who between them hold many years of experience in delivering privacy and security solutions for Australian organisations.

We have worked as in-house counsel and senior executives, and understand the pressures faced by executives, CISOs, Chief Privacy Officers, procurement teams and in-house lawyers. Our team’s industry experience is complemented by extensive legal knowledge and a desire to assist our clients with high quality practical advice.

Contact Us

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.