The intent of achieving and maintaining compliance with ISO 27001 is for an organization to demonstrate its continuing ability to proactively assess their information security risk posture and manage that risk according to the organizations’ risk appetite.  The focus is truly on the governance and maintenance of the information security management system (ISMS).

Introduction ISO/IEC 27001:2015 (ISO 27001) certification is becoming more of a conversation in most major businesses in the United States. To provide some depth, there was a 20% increase in ISO 27001 certificates maintained globally (comparing the numbers from 2014 to 2015 as noted in the recent ISO survey). As for North America, there was a 78% growth rate in ISO 27001 certificates maintained, compared to those in North America in 2014. So it is clear evidence that the compliance effort known as ISO 27001 is making its imprint on organizations in the United States. However, it’s just the beginning. Globally, there are 27,563 ISO 27001 certificates maintained, of which only 1247 are maintained in the United States; that is 4.5% of all ISO 27001 certificates.

NOTE: Schellman has since updated and expanded this information in an article found here.

TAMPA, FL— August 25, 2016 – Schellman & Company, LLC (Schellman), a leading provider of compliance services, has been awarded accreditation by the ANSI-ASQ National Accreditation Board (ANAB) for ISO/IEC 20000-1 certification services. The new accreditation adds to the existing ISO 9001 accreditation Schellman received from ANAB in December, as well as the ISO/IEC 27001 accreditation Schellman received from the ANAB ANAB in 2011 and from the United Kingdom Accreditation Service (UKAS) in 2015.

An internal audit process should be present within the organization, and is vital to the design and effectiveness of any information security program. The requirements of an internal audit can be referred to in Clause 9.2 within the ISO-27001 standard. The process and time constraints of an internal audit vary based on the size and structure of the company.  Also, a greater sense of detail and effectiveness of an internal audit should be similar across all organizations. Initially, a plethora of clients believe that an internal audit is a simple walkthrough of organizational specific processes and applicable controls; however, the internal audit requires the organization to review the ISO-27001 framework and all in-scope Annex A controls based on the Statement of Applicability (SOA). As a result, the ISO-27001 internal audit happens to be more stringent and control focused than many organizations believe it to be prior to beginning the audit.  

An ISO 27001 certification can help your business stand out. It lets your customers and potential customers know you care about and will protect their information. It can also help you streamline internal processes.

Have you ever wondered if the ISO 27001 certification is at all similar to a SOC 2 report?  Many organizations today are dealing with multiple needs or demands for various compliance assessments or certifications.  These organizations might wonder, “How can my ISO 27001 certification fit the needs for a SOC 2 report?” and vice versa.  Below we have outlined the similarities and differences between an ISO 27001 certification and a SOC 2 examination.

The release of details contained in the Panama Papers will be one of the biggest news stories of the year.  The number of high-profile individuals implicated will continue to grow as teams comb through the 11.5 million documents leaked from Mossack Fonseca, a Panamanian law firm.  While the news headlines will focus on mainly world leaders, athletes and well-to-dos, the overview from The International Consortium of Investigative Journalists (ICIJ) gets into additional details.  This overview is worth reading to understand what services the firm provided, who uses the services, how they can be used legally and how they can be abused.