Sox Iso 27001 Mapping Services
ISO 2 mapping doc with Sarbanes OXLEY ACT. SOX With ISO 27001 & 27002 Mapping Audits. Stalfort, Koch Industries, Inc., Koch Capital Services. SOX Compliance Management. How to Map COBIT 5 Processes to ISO/IEC 27001 for Enhanced Information Security. Including Financial Services, Healthcare.
More and more, SecureWorks is seeing government, financial services and many other industries require the third parties they work with to be ISO 27001 certified. Given its global recognition and the requirements being a security standard that applies to all industries, certification can help organizations improve their security posture as well as make themselves more appealing to potential partners. In this video, Hadi Hosn, Head of Security Strategy and GRC Consulting covers SecureWorks ISO 27001 Certification Methodology. This comprehensive methodology includes detailed phases such as: • Defining certification scope • Defining assets & scope • Risk assessment • Implementation and improvement • Audit.
Transcript: I’m going to talk you through the ISO 27001 Certification methodology that we have at SecureWorks. ISO 27001 is an industry standard for information security and it’s been around for a number of years and it helps organizations align to and certify to a standard that applies to any industry. More and more we’re seeing government organizations and financial service originations require the third party’s they work with to be ISO 27001 Certified. We have a methodology to help those organizations through that certification lifecycle. The first phase of the certification methodology is really defining the scope of that certification. Simple Program In Vb6.0. Defining the scope is agreeing as a business where that certification will apply. Whether it’s a data center, an office in Germany, or the global offices of that organization.
That moves us onto actually defining the ISMS policy. The ISMS policy is a document that formalizes the scope of the ISO certification. It includes things like the roles and responsibilities. It includes things like accountability for security and includes the RACI matrix of what security is responsible for versus the business units. And that defines how the security organization is going to be structured across the company.
The next phase of that certification is around defining the assets and scope of certification. Now the assets can be information assets or physical assets. The information assets can be customer data. They can be financial data. Or they can be things like intellectual property. We need to define those and agree those are within the scope of certification.
The physical assets include IT assets or it could be also physical offices and locations and of the data centers that we have. Once the assets are defined we can then do a risk assessment. Now the risk assessment is possibly the most important part of the ISO certification process. This is where SecureWorks really adds value to the entire lifecycle.
The risk assessment consists of a threat assessment and a control assessment. When you talk about threat assessment this is where we identify what are the threats to those assets that we’ve identified.
This could be information that we bring in from our counter threat intelligence unit to apply to that organization. That includes both internal and external threats to the organization and defines what they really need to worry about from a threat landscape perspective. The control assessment, ISO provides a set of controls that organizations can pick from in order to certify to the standard. The control assessment, the expectation is that SecureWorks will help the organization identify which of those controls they need to comply with in order to address the risks that have been identified based on the asset priorities. So, SecureWorks will come in and help them identify those controls and assess that organization using questionnaires and using things around interviews with stakeholders to define where the gaps are. As an output from this risk assessment the organization will have a set of gaps and weaknesses that they need to improve on as an organization. The next phase is really to implement and improve on security.