Our team create and build information security and privacy management frameworks, policies and processes aligned to major standards and customised to meet your individual requirements.
We can support you at any stage in your management system lifecycle: whether design, implementation, maintenance or review.
Our security management services include:
Our team can help with a full range of ISO 27001 and 27701 services including:
Implementing an ISMS based on internationally recognised standard ISO 27001 will enable effective information security risk management and improve your overall cyber security posture.
ISO 27001 is a globally recognised information security standard.
ISO 27001 specifies the requirements for an Information Security Management System (ISMS), to help organisations identify, assess, manage and mitigate the risks associated with managing corporate information. It allows organisations to adopt a risk-based approach to information security that is in line with international best practices.
Achieving ISO 27001 certification demonstrates to your customers and commercial partners that you are truly committed to maintaining the highest standards in information security. Not only does it improve your organisation’s credibility, it can give you a competitive edge over your competition.
Implementing a PIMS based on internationally recognised standard ISO 27701 will enable effective privacy risk management, aligned to your information security management system. Adding privacy management to your information security management system will help your organisation comply with privacy and data protection laws including the GDPR and the Australian Privacy Act.
Implementing an ISO 27701 compliant PIMS will also ensure that you have effective data privacy management systems stakeholders can trust. By reducing the potential information security and privacy risks for individuals and your company by using the controls, you create a more trustworthy brand.
ISO 27701 is a privacy standard, published in August 2019. ISO 27701 serves as an enhancement to ISO 27001. It specifically gives assurance that your organization complies with generally applicable privacy requirements.
Before you can implement an ISO 27701 PIMS, you must first have the ISO 27001 ISMS in place. The technical and system requirements of a PIMS and an ISMS share significant overlap. The connection between the two makes the implementation of ISO 27001 with ISO 27701 straightforward.
For companies that already possess the certifications for ISO 27001, the process of applying ISO 27701 is relatively straightforward. ISO 27701 supplements the controls included in ISO 27001 and in addition contains specific requirements for processors and controllers.
Policies, procedures, manuals and checklists are an important part of every security and privacy management system.
The Privacy 108 team has developed all the documentation and guidance your organisation needs to put an effective ISMS and PIMS in place and meet the requirements to achieve certification to ISO 27001 and ISO 27701.
As an example, starting with our templates, we can work with you on developing any of the following:
Our team can also review any existing policy and procedures and update to ensure they meet latest requirements.
The ISO 27001 and ISO 27701 standards are flexible and can be adapted for organisations of all sizes. The scope can be designed to suit your organisation’s specific circumstances and can align with any existing management frameworks you have in place.
The benefits of having the ISO 27701/ISO 27701certification include:
To achieve ISO 27001 certification, you’ll need to undergo a series of audits. Here’s what you can expect to prepare for and complete your certification.
Phase one: create a project plan: You need a plan. ISO 27001 and ISO 27701 implementation programs are complex, involve the whole organisation and can be difficult. You won’t be successful without a plan. It’s also important to educate yourself on the ISO 27001 standards, the key requirement plus the ISO 27002 controls is a key part of this process.
Phase two: scope your ISMS: Unlike other management systems, ISO 27001 gives you the right to define a specific scope for your ISMS – it does not have to cover the whole organisation. For some companies, the scope of their ISMS includes their entire organization. For others, it includes only a specific department or system. You can determine exactly what information assets you need to protect as part of your ISMS.
Phase three: perform a risk assessment and gap analysis: You must complete a risk assessment for both your ISMS and PIMS. It is a requirement of both ISO 27001 and ISO 27701. The risk assessment will help identify controls that you need to implement, as well as ensure you meet one of the fundamental requirements of the standard. You should also do a gap analysis against ISO 27001 (and the security controls listed in ISO 27002) and ISO 27701.
The findings from the gap analysis should be added to the Risk Treatment Plan from the risk assessment and together be part of a remediation plan. The Risk Treatment Plan is another essential document for ISO 27001 certification. It records how your organization will respond to the threats you identified during your risk assessment process.
The remediation plan should include all the actions needed to meet compliance requirements.
Phase four: design and implement policies and controls: In this phase, you will start implementing the policies and controls identified in your remediation plan, together with the other actions needed to meet the requirements of ISO 27001 and ISO 27701.
You’ll need to produce a Statement of Applicability as part of your audit evidence.
The Statement of Applicability summarizes and explains which ISO 27001 controls and policies are relevant to your organization. This document is one of the first things your external auditor will review during your certification audit.
Phase five: document and collect evidence of system operation: To get ISO 27001 and ISO 27701 certification, you’ll need to prove to your auditor that you’ve established effective policies and controls and that they’re functioning as required by the ISO 27001 standard.
Collecting and organizing all of this evidence can be extremely time-consuming. It’s important that you integrate the collection of required evidence into your system as part of the design.
Phase six: complete an ISO 27001 certification audit In this phase, an external auditor will evaluate your ISMS to verify that it meets ISO 27001 requirements and issue your certification.
A certification audit happens in two stages. First, the auditor will complete a Stage 1 audit, where they review your ISMS documentation to make sure you have the right policies and procedures in place.
Next, a Stage 2 audit will review your business processes and security controls. Once Stage 1 and Stage 2 audits are complete, you’ll be issued an ISO 27001 certification that’s valid for three years.
Phase seven: maintain continuous compliance ISO 27001 is all about continuous improvement. You’ll need to keep analysing and reviewing your ISMS to make sure it’s still operating effectively. And as your business evolves and new risks emerge, you’ll need to watch for opportunities to improve existing processes and controls.
The ISO 27001 standard requires periodic internal audits as part of this ongoing monitoring. Internal auditors examine processes and policies to look for potential weaknesses and areas of improvement before an external audit.
Privacy108 is owned and led by one of Australia’s leading security and privacy professionals, Dr Jodie Siganto. The Privacy108 team includes lawyers, consultants and trainers who between them hold many years of experience in delivering privacy and security solutions for Australian organisations.
We have worked as in-house counsel and senior executives, and understand the pressures faced by executives, CISOs, Chief Privacy Officers, procurement teams and in-house lawyers. Our team’s industry experience is complemented by extensive legal knowledge and a desire to assist our clients with high quality practical advice.