ISO 27001

ISO 27001

ISO27001 is one of the globally recognized information security frameworks. It is a standard that sets out the information security best practice recommendations for organisations of any size or industry. The goal of setting up an information security management system according to the recommendation of the standard is to minimize technology risks and to ensure business continuity by pro-actively limiting the impact of a security breach.

While highly regulated businesses may require implementing information security management system as part of the regulatory requirements, many organisations obtain the ISO27001 certification to demonstrate that they have identified the risks, assessed the implications and put in place systemised controls to limit any technology and information security damage to the organisation.

ISO27001 certification provides a competitive advantage in winning new business as it increases reliability and security of systems and information, this way improving the confidence of existing and potential customers and business partners.

Kyte Consultants have the knowledge and expertise to guide organisations in implementing the information security management system. Starting with understanding the requirements and discussing the business need for ISO27001 all the way to certification, Kyte is able to:

  • Perform a gap analysis of information security against the ISO27001 standard;
  • Identify and draft the mandatory information security management system documentation;
  • Provide training and support to identify, log and manage risks according to ISO27001 standard;
  • Identify and apply the relevant controls to reduce the level of identified risks;
  • Guide through all stages of implementing the information security management system, including collection of required evidence and audit preparation.

Since ISO27001 is a framework and a standard of information security best practice, it can be used to optimize and improve the information security posture of an organization as well as individual elements of information security, such as third party security, incident management, business continuity or access control without going through the process of certification.

FAQs

Q:I am already PCI DSS compliant. How difficult will it be for me to obtain ISO 27001 compliance?
A:

The answer to this question is not straight forward. PCI DSS is very prescriptive and defines exactly what it requires. ISO27001 on the other hand is more generic and covers a wider spectrum of Information Security requirements. PCI DSS focuses on the security of card data only whilst ISO27001 covers all of information security as applied to the scope in question. Having said that, PCI Controls are all applicable to ISO27001 and you will find overlap between the two. This means that any controls you put in place for the purpose of PCI DSS compliance will be useful to achieve ISO27001 compliance. Nothing is conflicting.

Q:I am a gaming operator with multiple license and I am being asked to become ISO certified by the regulator. Where do I start?
A:

The first thing to do is to identify the scope. We recommend that you start with a narrow scope at the beginning especially since ISO27001 brings with it considerable change in processes, so it pays you to reduce the complexity at the start. One of the first exercises to any ISO27001 project is a Risk Assessment. Everything else follows from the results of the risk assessment. Contact us for more info.