Welcome to Protify.

In accordance with cookie legislation and our privacy policy, we only place strictly necessary functional cookies. 😊

For visitor analysis, we use Google Analytics (also cookieless). May we also place some Google Analytics analytical cookies to gain a better understanding?

Aragorn’s guidance to ISO 27001

Written by Patrick van der Weide

Client cases

Protify guided Aragorn in the process of achieving their ISO 27001 certification (information security). They are no strangers to each other, having served a number of joint clients. For instance, Protify has supported a number of clients in the certification process, with Aragorn as IT service provider joining audits to explain their IT infrastructure.

The trigger

As an IT service provider, a good information security set-up is very important. From potential customers, Aragorn was increasingly asked whether they had the ISO 27001 certificate. Although they had drawn up relevant rules and agreements on information security, this had not yet been translated into a management system.

‘As an IT service provider, a good information security setup is very important.’

The approach

This project started by discussing the PoA (plan of action), which sets out the project’s basic principles. We then carried out a Gap analysis together with Aragorn. The objective of this analysis was to clarify the extent to which Aragorn already complied with the requirements of the standard relevant to them and which steps still needed to be taken. This Gap analysis took one day and was carried out in cooperation with the management, the management assistant and one of the network engineers. These employees were also involved in the rest of the project. In addition, several interviews were conducted with employees from all parts of the organisation. The results of the Gap analysis were provided by Protify in a report. The main conclusion was that Aragorn already had a lot of things in order, but that this had not yet been translated into a management system.

The management system

Based on the results of the Gap analysis, we set up the management system. As the basis for this, we used the digital platform ProActive Compliance Tool (PCT). Several sessions were conducted, including:

  • Process analysis: a session intended to gain insight into Aragorn’s primary processes and the employees, systems, applications and information involved in them. This process analysis was used as a basis for setting up and implementing the management system. After all, the intention is for the ISMS to ensure safer operations and meet the requirements of the standards, without having an unacceptable impact on the organisation’s current way of working.
  • IT infrastructure: aimed at understanding the organisation’s IT infrastructure,
  • Resources: understanding the IT resources used by the organisation and their set-up.
  • Risk analysis: the aim of this session was to identify the risks unacceptable to Aragorn and determine the control measures.

After each session, Protify drafted the first version of the ISMS documentation in the PCT. These elaborations were always reviewed and modified by Aragorn and jointly finalised during our fortnightly progress meetings. During these meetings, progress and outstanding questions were also discussed. In addition, we could immediately advise on the design and implementation of the topics described in the documents.

Audits

A few weeks before the external audit, the internal audit took place. During this audit, the ISMS and the (plans for) implementation were discussed and the extent to which the relevant requirements from the standards were met was assessed. A number of shortcomings came to light during this audit. Naturally, these were discussed immediately and action was taken to be ready in time for the external audit.

The external audit was conducted by auditors from Brand Compliance and took place on two different occasions. First, the phase 1 audit was conducted over three days. Phase 2 followed a week later. A few more shortcomings were found during phase 1 of the audit, which were jointly remedied. After this, certification could proceed.

Certification

Because Aragorn finally met all the relevant requirements, the certification was achieved! In addition, by setting up the management system, Aragorn achieved a higher level of information security and reduction of risks. The entire project ultimately took about 4.5 months.

Managed services

Obtaining a certificate is step one, maintaining the certificate and remaining compliant with the requirements from the standard is the next. For this reason, Aragorn has entered into a managed services contract with Protify. Under this contract, we support the maintenance and continuous improvement of the management system. Among other things, we do this by attending the monthly certification meeting, performing internal audits and attending the external audits.

More information?

As a company, do you also want to become certified and want to know what is involved? Contact us with no obligation.

Avatar photo

Patrick van der Weide

As a freelance consultant affiliated with Protify, Patrick supports clients in the role of CISO or security officer and/or as a project contributor. Patrick has an academic background in law, broad operational IT experience, and is CISSP-certified.

Other articles on our website

Eight practical tips to work safely at home

The importance of risk analysis