INFORMATION SECURITY MANAGEMENT

Major steps of our service

The first and most important step in the preparation phase of the project is to obtain management support. DACHS consultants explain the ISMS implementation process to the management and other interested parties to obtain necessary support. Interested parties are identified for each step of the ISMS implementation and activities are carried out with their cooperation and approval.

The major steps of the project are as follows: 

  • Define scope 
  • Analyze existing controls and policies to identify gaps 
  • Set up management system (create documentation and templates) 
  • Initiate the management system (facilitate creation of plans, train colleagues, carry out internal audit and prepare management review) 

Consultants may support customers during third-party audits. Our aim is long term cooperation; customers are not abandoned after the successful initiation of the ISMS or the certification audit. DACHS is ready to cooperate in the operation and update of the management system. 

Customer involvement

In a quality management system, value-adding processes are unique but supporting and management processes are generally identical between organizations. The ISO 27001 standard, however, has an extensive list of controls to cover, therefore ISMS-es of different organizations are much different from one another. It is a fundamental principle that setting up a management system doesn’t involve adapting the organization to any predefined documentation set, but documented procedures have to be tailored to follow as many of the existing best practices as possible. The key success factor is a close working relationship with management and interested parties. In-depth understanding of existing guidelines, policies, SOPs, operating procedures and methodologies, user’s expectations, company values and cultures, technical infrastructure, security procedures and capabilities are crucial. There are proven principles and document structures, but procedures will differ due to several factors, such as existing devices, competence and risk appetite. 

Information security consultancy services follow the logic and written requirements of the ISO 27001 standard. Implementing an ISO 27001 compliant management system is never a one-way communication project as the consultant and the customer must always cooperate. Sharing the tasks during the implementation project is dependent on available customer resources and willingness to participate. Actually, as the project reaches the lower levels of the document hierarchy (e.g. IT operation instructions), customer participation becomes more and more crucial, as gathering the necessary information by the consultants becomes time-consuming and customer representatives still have to review and correct the results. Therefore, at this level the most efficient method is for consultants to simply create templates or stubs of documents and support completion.  

Special knowledge

The ISO 27001 standard requirements are generic, applicable to all sizes and types of businesses or organizations. Customers that DACHS experts worked with include companies of different sizes that come from a range of different sectors (e.g. healthcare, retail or consultancy firms). 

We have consulted customers during the implementation of complete information security management systems (including compiling asset inventories, carrying out risk assessments, drafting procedures), carrying out internal audits, preparing management reviews and conducting pre-audits (an independent audit that precedes certification body audit, to increase confidence in success).  

Not only do DACHS experts have a consultancy background, but also decade-long third-party auditing experience as well. This facilitates the identification of critical deficiencies to improve operation security and maximize certification audit success rate.