ISO 27001: Information Security Management
At Orion, our team of experts will guide you through the process. Our knowledgeable and personable auditors will make this a rewarding experience to help strengthen your internal controls. Outputs from the certification process will highlight your strengths, weaknesses (non-conformances) and any opportunities for improvement.
Why Work with Orion on ISO 27001
Orion has a long track record in providing certifications that address information security concerns in an increasingly interconnected, cloud-based world.
We are currently the only firm endorsed by three industry associations to audit their members, and we reward this trust by only using auditors that have an overall customer satisfaction rating of 99% or better. Our auditors have over 15 years of auditing experience, making them seasoned and proven professionals.
Our vast and lengthy experience means that we truly know and understand the IT industry, including its typical processes, commonly used software, and industry terminology. As a result, our auditing services are efficient and effective, and we will work with you to establish mutual goals up front to make sure your needs are fully met. If you are looking to certify to multiple standards, we also provide integrated audits so you that can achieve certification to multiple standards in one audit (e.g. ISO 27001 / ISO 9001 / ISO 14001 / ISO 45001 / ISO 17100 / R2), ultimately saving you both time and money.
The Importance of ISO 27001
The global work environment has changed significantly over the past couple of years as COVID-19 has forced many businesses to move to a remote or blended work scheme and operate from cloud-based platforms. This shift has resulted in a dramatic increase in the transmission of documents, data, and sensitive information over the internet and cybersecurity is now more important than ever.
According to Cybersecurity Ventures August 24, 2020, report global cybercrime costs are expected to grow by “15 percent per year over the next five years and reach $10.5 trillion annually by 2025.” These cybercrime costs include theft of intellectual property, customer information, theft of personal or corporate financial data, lost productivity, fraud, embezzlement, ransom for locking systems, and the efforts required to restore changed or deleted data.
A breach of information can be devastating to an organization’s reputation and pose a potential liability.
With the increased risk of cybersecurity breaches, the demand for cyber security standards such as ISO 27001 Information technology — Security techniques has grown. With a focus on continual improvement, certified companies must identify the information they are trying to protect, assess the risk factors surrounding this information and implement the required controls and process to protect it
Breakdown of the ISO 27001 Standard
Like other ISO standards such as ISO 9001, ISO 27001 has an overall management system core set of requirements such as setting goals and objectives and conducting management reviews, but the main difference is in the Annex A controls. This section identifies 114 controls in 14 groups and 35 control categories the company must consider and justify those that are not applicable.
The 14 groups include:
- A.5: Information security policies (2 controls)
- A.6: Organization of information security (7 controls)
- A.7: Human resource security - 6 controls that are applied before, during, or after employment
- A.8: Asset management (10 controls)
- A.9: Access control (14 controls)
- A.10: Cryptography (2 controls)
- A.11: Physical and environmental security (15 controls)
- A.12: Operations security (14 controls)
- A.13: Communications security (7 controls)
- A.14: System acquisition, development, and maintenance (13 controls)
- A.15: Supplier relationships (5 controls)
- A.16: Information security incident management (7 controls)
- A.17: Information security aspects of business continuity management (4 controls)
Get Started with ISO 27001 Quickly and Easily
Discover the key steps to take in order to effectively implement ISO 27001 and protect your sensitive information. Get you up and running with the standard in no time.
Overview of the Audit Process
Sign the Agreement
Sign the Agreement
Perform GAP Audit (optional)
Perform GAP Audit (optional)
Perform Stage 1 Audit:Readiness Review
Readiness Review
This review is conducted to determine whether your organization is ready to move to Stage 2 Audit (Certification Audit) by confirming that:
- The management system addresses all the requirements of the standard.
- The management system has been implemented and the client is ready for the Stage 2 Audit (Certification Audit).
Note that a full management review and internal audit must occur prior to conducting the Stage 2 Audit (Certification Audit)
Perform Stage 2 Audit:Certification Audit
Certification Audit
This onsite audit is conducted to ensure that the processes and documents examined during the Stage 1 Audit (Readiness Review) are in use and that the system is implemented according to the requirements of the standard.
The key deliverables from this stage include:
- An audit report detailing positive aspects, issues for resolution (non-conformances), and areas for improvement.
- A recommendation regarding your registration.
Finalize Audit Report and Receive Certificate
Finalize Audit Report and Receive Certificate
The results from the Stage 1 and Stage 2 audits are reviewed to ensure that all Orion accreditation requirements have been met and a proper recommendation made. At this point, approval is given to either certify, seek clarification, or not certify.
Perform Surveillanceor Recertification Audit
Perform Surveillance or Recertification Audit
Registration is based on a 3-year cycle. To maintain your certification, your organization must participate in an onsite review each year. The first two are surveillance audits and only look at a portion of your system, whereas the third-year review (re-certification) is a more comprehensive audit and looks at your overall system for continued effectiveness.
Sign the Agreement
Sign the Agreement
Perform GAP Audit (optional)
Perform GAP Audit (optional)
Perform Stage 1 Audit:Readiness Review
Readiness Review
This review is conducted to determine whether your organization is ready to move to Stage 2 Audit (Certification Audit) by confirming that:
- The management system addresses all the requirements of the standard.
- The management system has been implemented and the client is ready for the Stage 2 Audit (Certification Audit).
Note that a full management review and internal audit must occur prior to conducting the Stage 2 Audit (Certification Audit)
Perform Stage 2 Audit:Certification Audit
Certification Audit
This onsite audit is conducted to ensure that the processes and documents examined during the Stage 1 Audit (Readiness Review) are in use and that the system is implemented according to the requirements of the standard.
The key deliverables from this stage include:
- An audit report detailing positive aspects, issues for resolution (non-conformances), and areas for improvement.
- A recommendation regarding your registration.
Finalize Audit Report and Receive Certificate
Finalize Audit Report and Receive Certificate
The results from the Stage 1 and Stage 2 audits are reviewed to ensure that all Orion accreditation requirements have been met and a proper recommendation made. At this point, approval is given to either certify, seek clarification, or not certify.
Perform Surveillanceor Recertification Audit
Perform Surveillance or Recertification Audit
Registration is based on a 3-year cycle. To maintain your certification, your organization must participate in an onsite review each year. The first two are surveillance audits and only look at a portion of your system, whereas the third-year review (re-certification) is a more comprehensive audit and looks at your overall system for continued effectiveness.
Sign the Agreement
Perform GAP Audit (optional)
Perform Stage 1 Audit:Readiness Review
This review is conducted to determine whether your organization is ready to move to Stage 2 Audit (Certification Audit) by confirming that:
- The management system addresses all the requirements of the standard.
- The management system has been implemented and the client is ready for the Stage 2 Audit (Certification Audit).
Note that a full management review and internal audit must occur prior to conducting the Stage 2 Audit (Certification Audit)
Perform Stage 2 Audit:Certification Audit
This onsite audit is conducted to ensure that the processes and documents examined during the Stage 1 Audit (Readiness Review) are in use and that the system is implemented according to the requirements of the standard.
The key deliverables from this stage include:
- An audit report detailing positive aspects, issues for resolution (non-conformances), and areas for improvement.
- A recommendation regarding your registration.
Finalize Audit Report and Receive Certificate
The results from the Stage 1 and Stage 2 audits are reviewed to ensure that all Orion accreditation requirements have been met and a proper recommendation made. At this point, approval is given to either certify, seek clarification, or not certify.
Perform Surveillanceor Recertification Audit
Registration is based on a 3-year cycle. To maintain your certification, your organization must participate in an onsite review each year. The first two are surveillance audits and only look at a portion of your system, whereas the third-year review (re-certification) is a more comprehensive audit and looks at your overall system for continued effectiveness.