Skip to main content

Risk & Compliance
ISO 27001:2013 Audit and Certification

Risk & Compliance
ISO 27001:2013 Audit and Certification

The purpose of our audit and compliance services is to assist our clients in defining and achieving ISO 27001 certification.

To ensure the most value in achieving ISO certification, CyberHunter follows a general process which includes: 

  1. Educate – Ensure the organization understands ISO 27001 and how it will impact them 2. Plan – Establish the management system by establishing policies, objectives, processes and procedures related to risk management. 
  2. Initiate – Implement and operate the policies, controls, processes and procedures of the management system 
  3. Monitor – Monitor and review the management systems, if necessary, measure process performance against the policy and desired objectives of the ISMS. 
  4. Remediate – Undertake corrective and/or preventative action, based on the results from the monitoring phase, or management direction to continually improve the system
  5. Certify – Once controls within the ISMS are operational and are meeting their measurable thresholds, Entity can go through the official certification process to achieve ISO 27001 compliance. 

ISO 27001 Education 

Before an organization can proceed through the ISO 27001 certification process, the stakeholders and overall organization needs to understand the purpose and benefits of the

ISO27001 framework and process.

To achieve this common level of understanding, CyberHunter will provide education sessions to the ISMS committee, management stakeholders and end users to ensure a common level of understanding for the organization. 

The scope of the The Customer ISMS will be confirmed by completing the following main activities: 

  1. Confirm ISMS Scope. We will review available The Customer artifacts and conduct discovery interviews with personnel to confirm a clear understanding of: 
  • Desired Outcomes of the organization and ISMS 
  • External and internal issues relevant to the organizational purpose and that affect the organizations ability to achieve their intended outcomes. 
  • Understand the requirements of Internal and External interested parties ● Review of the interfaces and dependencies with third party organizations 
  1. Prepare the ISMS Scope Statement. We will prepare the ISMS Scope Statement outlining our high-level understanding of the The Customer Organization and the scope of the ISMS. The Scope statement will be reviewed and approved by The Customer to ensure it accurately represents the information security management system. Updates will be made to this report to include any feedback from The Customer. Once finalized, the scope statement will be the foundation for the risk assessment.
  2. Risk Assessment/Risk Treatment Plan. We will perform a risk assessment against the environment where The Customer and Cyberhunter will establish risk criteria to ensure subsequent risk assessments produce consistent, valid and comparable results. Upon completion of the risk assessment, risk treatment options will be presented, discussed and documented with management for approval of the plan. As part of the process and acceptance of residual risk will be identified and documented.

ISMS certification

Cyberhunter will provide The Customer with assistance in determining the ISMS policies, procedures, guidelines and processes that need to be implemented to achieve the ISMS certification. This process will result in a number of workstreams and activities that align with the ISO 27001 objectives and Annex A applicable controls including but not limited to: 

  • Information Security Policies 
  • Asset Management 
  • Human Resource Security 
  • Access Control 
  • Cryptography 
  • Physical and Environmental Security 
  • Operational Security
  • Vulnerability management 
  • Backup planning 
  • Logging and monitoring of systems 
  • Communications Security 
  • System acquisition, development and maintenance 
  • Third party Relationships 
  • Information Security Incident Response management 
  • Business Continuity 
  • Legal and Regulatory Compliance 

During the implementation of various portions of the ISMS, Cyberhunter assists in monitoring the effectiveness of the controls through regular touch points throughout the engagement. The monitoring of the controls will ensure that they are effective and appropriate for the ISMS. As controls are implemented and improved, the risk treatment plans will be adjusted as necessary. The touchpoints will be broken down into the implementation of the various Controls in Annex A of ISO27001.  

The Customer will be provided with feedback through major/minor findings discovered through the monitoring of the ISMS. The The Customer will be required to remediate the deficiencies in their ISO process\procedure and collect sufficient artifacts to demonstrate the improvement of the control. Once the artifacts are reviewed and the major/minor findings documented as remediated will the The Customer be required to continue monitoring the effectiveness of the control.

BE PROACTIVE.

Trust in a network device is very temporary. Be proactive and ensure you scan, test and hunt on a regular basis.

TRUST NOTHING.

Security teams should NEVER trust an endpoint or server until it can be PROVEN to be trusted.

MALWARE CAN GET IN.

Companies need to prepare and be ready to respond to advanced persistent threats.

Cyber Security & Pen Test Consultants in Canada, the US and the Caribbean