ISO 27001 Consultancy

We provide ISO 27001 consultancy with our experts on the field.

Information Security Management System

With BTYÖN Information Security Consultancy service, you can reduce your risks, increase your business benefits and ensure the continuity of your business while obtaining the ISO 27001 Information Security Management System (ISMS) certificate. We provide ISO 27001 Information Security Management System consultancy services with more than 10 years of experience in the field of information security. You can establish a sustainable management system with our ISO 27001 ISMS consultancy service. BTYÖN meets all your consultancy needs regarding ISO 27001 ISMS in a wide range, from employee awareness training to the use of all necessary tools. Our basis in Information Security Management System application; It is the ISO 27001 standard, which is the international information security management system standard.

BTYÖN will prepare your company for the ISO 27001 certification audit by implementing all ISO 27001 ISMS processes together with you. The consultancy service starts with determining the scope of your information security management system and ends with your company receiving the certificate. BTYÖN also offers training and workshop solutions for businesses that want to establish ISO 27001 ISMS with their own means. In the workshops, the methodologies your company needs in the ISO 27001 ISMS installation are determined and these methodologies are explained practically. During the workshops, the documents that need to be prepared are determined and the necessary information is provided to the team that will prepare the documentation.

For many companies, the information they hold is as critical as all their other assets. To ensure the security of information, information technology departments generally try to take precautions by using security products or security mechanisms. The role of technological measures in ensuring information security cannot be denied, but unless information security is approached on a risk-based basis, it is not possible to talk about an ISO 27001 information security management system that is accepted and implemented throughout the institution.

Many studies have shown that technical measures are insufficient to eliminate information security risks, and that in addition to technical measures, many studies such as risk analysis, awareness training and similar studies need to be carried out. The human factor should not be ignored when ensuring information security. In businesses where information security is important, all work related to information security should be handled within a management system.

Consultants within BTYÖN have carried out certification consultancy projects for many businesses with ISO 27001 certification operating in the service, telecommunications and public sectors with a number of employees ranging from 30 to 8000. The portal infrastructure required to manage information security is customized by BTYÖN according to your needs, and the necessary infrastructure is established for the ISMS to continue living after certification.

Our ISO 27001 Information Security Management System Application Methodology

ISO 27001 Information Security Management System (ISMS) is a systematic approach adopted to manage the sensitive information of the institution. The main purpose of this system is to protect sensitive information. This system covers employees, business processes, and information technology (IT) systems.

The most widely used standard in information security management is the "ISO/IEC 27002 Implementation Principles for Information Security Management" standard. This standard sets forth general principles and guiding information to initiate, implement, maintain and improve information security management within businesses. The "ISO 27001 Information Security Management Systems - Requirements" standard is used for the certification of ISMS, which was established using ISO/IEC 27002 as a guide. This standard covers the requirements to establish, implement, monitor, review, maintain and improve a documented ISMS in the context of all business risks of the organization. ISO/IEC 27001 determines how the control objectives set out in ISO/IEC 27002 will be implemented and audited within the organization in order to meet business risks.

ISO 27001 and ISO 27002 standards are the most basic reference sources for ISMS. Both of these standards directly address the issue of information security. They are not technical or technology-dependent standards. Institutions are free to choose the methods and technologies they will apply.

Within the scope of the ISO 27001 Information Security Management System standard, the PDMS (Plan - Apply - Check - Take Action) model is used for the installation, implementation, operation, monitoring, review, maintenance and re-review of the ISMS. The PDCA model takes the information security requirements and expectations of relevant parties as input and, through the necessary actions and processes, produces information security results that will meet these requirements and expectations. Within the scope of the ISMS project to be implemented in your business, consultancy services will be provided on all issues within the PDCA cycle. All information necessary for your business to operate the ISO27001 Information Security Management System will be transferred by BTYÖN.

Ensuring Top Management AwarenessThe issues that need to be known at the management level for the Information Security Management System and the ISO 27001 standard and the senior management support requirements for the management system are conveyed to the senior management in detail. Presentation duration is approximately 2 hours. During the session with senior management, the necessary information is provided to determine the scope and prepare the policy.

Determination of ISMS ScopeThe scope of ISMS can be a certain part of the institution or the entire institution. However, in both cases, the organization must define the ISMS scope and boundaries completely and accurately. The scope of ISMS is determined by taking into account internal and external issues, the intention of the top management and the needs and expectations of the relevant parties. The ISO 27001 standard does not provide any specific guidance or enforcement on this matter. When determining the scope, it is necessary to take into account interactions with entities and other institutions excluded from ISO 27001 ISMS. The institution must be able to explain with solid justifications why those excluded from the scope were excluded. At the end of this step, a scope document should be published and approved by senior management.

ISMS PolicyThis policy provides a framework that sets out the objectives, directs and mobilizes the management, and determines the risk management scope and criteria for which risks will be evaluated. In order for the ISO 27001 ISMS policy to find its purpose, management must make employees feel its determination that the items in the policy will be implemented.

Asset Management Approach
A systematic approach should be put forward to determine the assets that need to be protected within the scope of ISO 27001 ISMS and to determine their value in terms of confidentiality, integrity and accessibility. Using this approach, information asset inventory and asset value for each information should be determined. Keeping the asset inventory up to date should be defined within the method. Your business's asset management approach will be tailored to your organization's needs.

Creating an Information Asset Inventory
Your business's information asset inventory should be created in accordance with the determined approach. BTYÖN will provide consultancy support at the points needed during the creation of the asset inventory.

Risk Management Approach
In accordance with the ISO 27001 ISMS standard, a systematic risk management approach should be determined based on the information security policy. The institution is free to choose an approach that suits itself. The chosen risk management approach must guarantee to produce comparable and repeatable results. In this step, acceptable risk levels should be determined and criteria should be developed for them. The risk management approach will include all rules regarding the identification, leveling, prioritization and treatment of risks.

Risk Identification
The risks posed by assets that need to be protected according to the ISO 27001 standard should be determined using the determined approach. The previously created information asset inventory constitutes input for this study. Within the scope of the risk identification study, the vulnerabilities of the information assets in the asset inventory and the threats that can harm the asset and therefore your business by using these vulnerabilities will be determined. Afterwards, risks will be revealed in accordance with the method determined in the risk management approach. While determining the vulnerabilities, the study of determining technical vulnerabilities should also be carried out. In order to support the risk identification study, necessary analysis activities should be carried out to identify technical vulnerabilities. Findings should be documented in accordance with the risk management approach. The risks posed by your business's information assets should be collected by interviewing the asset owners.

Risk Treatment Plan
As a requirement of ISO 27001, appropriate risk treatment methods should be determined based on the identified risks. Four different attitudes can be taken against a certain risk:   
1. Eliminating the risk or reducing it to an acceptable level by applying appropriate controls   
2. Avoiding risk by eliminating the factors that cause the risk to occur    
3. Transferring risk to parties outside the organization, such as insurance companies or suppliers    
4. Accepting the risk objectively and knowingly, provided that it complies with the corporate policies and risk acceptance criteria.

A risk treatment plan should be created for the risks identified as a result of this study. The risk remaining after the risk treatment process is called residual risk. These may be risks that are accepted or risks that cannot be completely eliminated. The organization's senior management must approve residual risks. At the end of this step, a risk approval document should now be created.

Declaration of Applicability
As required by the ISO 27001 standard, a Declaration of Applicability must be prepared containing the controls selected against risks. The Declaration of Applicability should explain what the selected controls are and the reasons why they were selected. The controls that are not selected from ISO 27001 ANNEX-A and the reasons for not selecting them should also be given in the Declaration of Applicability.

ISO27001 ISMS Process, Procedure, Plan Preparation and Commissioning
In the work to be done, the processes, procedures, forms and plans needed within the scope of the information security management system should be prepared. Documents for the controls selected in the applicability declaration and documents that meet all the requirements of the ISO 27001 standard must be prepared. Examples of topics that will be subject to possible policies and procedures are as follows.
• Human Resources Security  
• Physical and Environmental Security    
• Communication and Operational Security    
• Access Control    
• IT Gathering, Maintenance and Improving    
• Information Security Incident Management    
• Business Continuity Plan    
• Legal Compliance    
• Internal Audit    
• Review of Top Management    
• Document Control Procedure    
• Registration Control Procedure
• Continious Improvement    
• Kontrol Etkinliği Ölçme    
• Düzeltici ve Önleyici Faaliyetler

User training (or training the trainer)Information Security User Awareness Training must be provided to employees within the scope of the ISO 27001 information security management system to be established within your business. For this purpose, depending on the scope of the business, classroom training can be organized or e-learning methods can be used.

Internal AuditAs part of the implementation of the ISO 27001 Information security management system, an independent internal audit activity should be carried out. In this context, the internal audit procedure, internal audit program and plan, and internal audit checklist are prepared. Nonconformities are detected by performing an internal audit. Root cause analysis and corrective action planning studies are carried out for all nonconformities detected during the audit.

Management Review of ISMSIn accordance with ISO27001, senior management must periodically review the established Information Security Management System. The review activity is carried out in a meeting where the management is present. The inputs and possible outputs of the meeting are specified in the ISO27001 standard. As a requirement of the ISO 27001 standard, YGG outputs must be documented.

Support for the Certification Process
Following the management review, ISO 27001 certification audit can be initiated. If a non-conformity arises during the ISO 27001 certification audit, the necessary work to eliminate the non-conformity is carried out without delay and the ISO 27001 certificate is obtained.

For more information

19 Mayıs Mah. İnönü Caddesi. Sümer Sokak. Zitaş Blokları.
C-1 Blok Daire:8 34736 Kadıköy İSTANBUL
0 (216) 380 00 70
© 2011-2024 BTYON. All right reserved.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.