Organizations that control information systems and/or control and process personal data and other confidential information, in order to ensure proper information and cyber security management and personal data protection, should aim for implementation and maintenance of Information Security Management System (hereinafter – ISMS) according to the requirements of ISO/IEC 27001 (ISO 27001). ISMS are adequate organizational and technical data protection controls to meet the requirements of the General Data Protection Regulation (GDPR).
Organizations can implement ISMS independently or seek help from certified experts. The organizations that have implemented ISMS independently, before the certification audit, should be conducted a ISO 27001 Gap Analysis (GAP), that let assure the preparedness for certification.
The implementation of an ISMS will provide organizations with the following benefits:
- It allows to ensure the unified management of information and cyber security and the protection of personal data, applying the global practices of the ISO 27001 standard;
- It enables effective information and cyber security management and personal data protection to be integrated into other operational processes of the organization and aligned with the organization’s strategic goals;
- It allows timely identification and reduction of information and cyber security vulnerabilities and security gaps;
- It helps to identify, evaluate and effectively manage information and cyber security risks;
- It helps to plan and implement information and cyber security organizational and technical (control) measures and effectively to maintain the required level of information and cyber security management;
- It allows the employees of the organization to get involved in the management of information and cyber security and the protection of personal data, as well as to ensure the improvement of the competence of employees, strengthening of their skills and resilience to cyber and social engineering attacks;
- It ensures compliance with the requirements of the ISO 27001 standard and successful ISMS certification;
- It allows to properly ensure the implementation of the GDPR, the Law on Legal Protection of Personal Data of the Republic of Lithuania, the Law on Cyber Security of the Republic of Lithuania and the requirements of secondary legal acts.
Lack of sufficient technical and organizational measures may be considered infringements of the provisions of the GDPR, in which case administrative fines of up to 2–4% may be imposed. the total annual worldwide turnover of the preceding financial year, or up to 10 000 000 EUR to 20 000 000 EUR.
- We analyze the current situation
- We prepare an ISMS implementation plan, a list of ISMS policies and procedures will be created
- We prepare a statement of applicability, an information security policy as well as, policies and procedures of information security policy implementation
- We perform an information security risk assessment and prepare a plan for information security risk management
- We prepare an ISMS monitoring, measurement and control plan
- We organize the introduction of ISMS, its processes and procedures as well as the matrix of responsibilities to the organization’s employees
- We perform ISMS internal audit and Management review
- We help to prepare for the certification audit (including assistance during the certification audit process)
- We help to prepare for the maintenance audit and provide support during it
- An analysis of the current situation is carried out. An analysis of requirements and needs of interested parties, existing information and cyber security management and personal data protection processes and procedures was performed.
- ISMS implementation plan and list of ISMS policies and procedures prepared. The scope of ISMS implementation is defined. The list of ISMS documents that will be created and their preparation schedule have been prepared and signed off.
- Applicability statement, information security policy as well as, policies and procedures of information security policy implementation have been created. The following ISMS documents will be created and harmonized: Applicability statement; Information security policy; Policies and procedures of the information security policy implementation; Information security risk and assessment procedure; ISMS monitoring, measurement and control procedure; ISMS internal audit procedure; ISMS management review procedure.
- An information security risk assessment is carried out and a plan of information security risk management is created. An information security risk assessment is carried out and report is created. A plan of information security risk management is created and signed off.
- ISMS monitoring, measurement and control plan created. In accordance with the information monitoring and control procedure, an ISMS monitoring, measurement and control plan is created and signed off.
- Training for employees of the organization is carried out. Its carried out the introduction of ISMS, its processes and procedures as well as the matrix of responsibilities to the organization’s employees
- ISMS internal audit and Management review are performed. Internal audit of the ISMS is carried out and an audit report is created. Management review will be carried out and a report is created.
- The consultation of preparation and during the certification audit process is provided. All ISMS documents are checked and evaluated for preparedness of certification. Assessed readiness for certification. Assistance during certification, participating in the audit. The consultation during the certification process is provided as well as assistance in the elimination of identified non-conformities is provided.
- Prepared for the maintenance audit and provided assistance during it. All ISMS documents are checked and evaluated for preparedness of certification. Assessed readiness for maintenance audit. Assistance during the maintenance audit by participating in the audit. Preparation of a plan for the elimination of identified non-conformities and assistance in the elimination of identified non-conformities.
- Unified management of information and cyber security is ensured
- Vulnerabilities and security gaps in information and cyber security are identified and eliminated in a timely manner
- Information security risks are properly assessed and managed
- Employees are included in information and cyber security management processes
- Employees are educated
- Compliance with legal acts is ensured
- ADWISERY experts, together with partners, have started a service project for performing compliance assessment, certification and maintenance audits of the Information Security Management System and Information Technology Service Management System
- ADWISERY carried out Information security management system meeting the requirements of the Lithuanian standard LST EN ISO / IEC 27001:2017, internal audit services