ISO 27001 Services

We'll work with your team to assess your ISO 27001 compliance, establish a baseline against the required standard and work towards uplifting your security.

What is ISO 27001?

ISO 27001 is an internationally recognised and accredited standard for the establishment, operation, maintenance and governance of an Information Security Management System(ISMS). The standard details what an organisation needs to do to select and implement a set of controls that protect information assets. While many organisations will have various controls in place, ISO27001 provides industry-recognised guidance and structure to assist organisations, mitigate risk and achieve certification as appropriate.

Key elements of ISO27001

A key element of ISO27001 is that it goes further than simply providing a set of controls that can be assessed for their effectiveness at a point in time. A significant element of the standard is focused on the Management System and the underlying governance and control mechanisms required to operate and manage information and information systems. Achievement of certification requires ongoing and continuous improvement and is a journey rather than a specific destination.

ISO27001 takes a risk-based approach to compliance

The standard does not mandate specific actions or controls that organisations must use in order to attain and maintain compliance. It takes a risk-based approach through the identification of organisation and information risks to ensure organisations are addressing those risks that are relevant to their size, operation and management requirements for information security. This allows for flexibility rather than taking a ‘one size fits all’ approach.

ISO27001 certification

This also applies to certification. Many organisations use ISO27001 in New Zealand as a guideline to ensure they are following information security best practices. But many others choose to undertake official ISO27001 certification through independent auditors to give customers, suppliers and other stakeholders assurance that they are following an established and trusted standard.

What is an ISMS?

While ISO27001 specifies that compliant organisations should have an Information Security Management System (ISMS), the standard does not mandate the specific content it should contain.

An ISO27001 ISMS is a set of policies, procedures and controls that address the people, process and technology risks an organisation faces. An ISMS does not specifically focus on tools and technologies but on risks and controls that keep information assets secure. It gives organisations a systematic approach for protecting all information whether it’s stored electronically or on physical media.

ISMS Internal Audit

An ISMS audit includes looking at several key elements. These are:

  1. 1. Your information security objectives
  2. 2. A list of all information assets
  3. 3. A list of all stakeholders and their expectations
  4. 4. The risks for each information asset
  5. 5. The controls and mitigation strategies, including implementation plans, for each of the risks
  6. 6. A measurement system so the performance of those controls and strategies can be monitored, maintained and continuously improved

ISO27001 does not specify precisely how the ISMS is to be constructed. It does, however, document what documents are required in order for the ISMS to be ISO27001 compliant.

Why does ISO27001 certification matter to your organisation?

Information security is a high-priority issue for all organisations. Customers, suppliers and other stakeholders are all part of a highly connected ecosystem, making the protection of data a key priority for everyone. ISO27001 certification provides assurance that you can be trusted to protect information and that you have considered the risks your organisation, and its supply chain faces, and have put into place appropriate mitigation strategies.

Reduce the risk of unauthorised access and data extraction

Being certified to ISO27001 provides assurance that you have implemented the baseline measures in place to manage information and information systems and reduce the risk of unauthorised access and data extraction. It enhances your defences and reputation as it forces you to take information security seriously and documents that you have been accredited by an independent auditor.

With many countries, including Australia and New Zealand, adopting data protection laws, operation of an ISMS aligned or certification to ISO27001 can prevent the risk of a breach of systems and data. Being ISO27001 certified shows customers, suppliers and regulators that you have taken reasonable steps to protect your data and mitigate risks in a way that is appropriate for your organisation.

ISO27001 provides structure to your cybersecurity strategy

ISO27001 does not mandate specific controls but it can provide structure to your cybersecurity strategy. Because it focuses on the risks that matter to your organisation, it avoids taking a reactionary approach to specific threats and provides a framework that enables you to be prepared for a broad range of risks by taking a holistic view of your threat environment.

How can Tesserent help New Zealand organisations?

Tesserent has delivered ISO27001 ISMS review and remediation services over many years, across a diverse range of industries and clients. That broad and deep experience means we can help organisations identify risks and put in place appropriate controls that ensure their data is as well protected. Our staff are certified as ISO27001 Lead Auditors, amongst other certifications, and can assist you in the development, design, remediation and assessment of your requirements. Our ISO27001 ISMS services can be tailored to your requirements and may include:

  • ISO 27001 Gap Analysis and Advisory

  • ISO 27001 Control Development & Remediation Services

  • ISO 27001 Certification and Surveillance Audits (Completed by a Partner Organisation)

Tesserent’s broad ISO27001 services in New Zealand include comprehensive reviews of all your documentation, interviews with key stakeholders and the production of a gap analysis report that will guide your path towards compliance. This includes a comprehensive presentation to management that outlines the risks, how they can be mitigated and how ISO27001 compliance will help the organisation as it moves forward in its cybersecurity journey.

And once you have achieved ISO27001 compliance, Tesserent can help you with regular reviews and advice on how to continually improve your security posture and be prepared for emerging and potential new threats. This ensures you have an eye on continuous improvement and not simply on just passing audits.

Frequently Asked Questions

What are the benefits of implementing ISO27001?

Implementing ISO27001 can provide numerous benefits, such as improved information security, better management of risks, enhanced customer trust, and compliance with legal and regulatory requirements.

Who can implement ISO27001?

ISO27001 can be implemented by any organisation, regardless of its size or industry, that wants to protect its sensitive information and manage risks effectively.

How long does it take to implement ISO27001?

The time required to implement ISO27001 depends on the size of the organisation, the complexity of its operations, and the scope of the implementation. Typically, it can take from 6 months to 1 year to implement the standard.

What is a risk assessment?

A risk assessment is a process of identifying, analysing, and evaluating risks to an organisation's sensitive information. The aim is to identify potential threats and vulnerabilities, assess their likelihood and potential impact, and develop appropriate measures to mitigate or manage them.

What is a risk treatment plan?

A risk treatment plan is a document that outlines the measures that an organisation plans to take to address identified risks. This can include avoiding the risk, transferring the risk, mitigating the risk, or accepting the risk.

What is a Statement of Applicability (SoA)?

A Statement of Applicability (SoA) is a document that outlines the controls that an organisation has implemented or plans to implement to manage its information security risks. It is an essential component of an ISO27001-compliant ISMS.

What is a certification audit?

A certification audit is an independent review of an organisation's ISMS to ensure that it complies with the ISO27001 standard. The audit is conducted by a third-party certification body, and if the organisation passes the audit, it is awarded an ISO27001 certificate.

How long does an ISO27001 certificate last?

An ISO27001 certificate is valid for three years from the date of issue. During this period, the organisation is subject to annual surveillance audits to ensure that it continues to comply with the standard.

Can ISO27001 be integrated with other management system standards?

Yes, ISO27001 can be integrated with other management system standards, such as ISO9001 (Quality Management System) and ISO14001 (Environmental Management System). This can help organisations streamline their management processes and achieve greater efficiency.

Contact us

Speak with a Tesserent
Security Specialist

Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.

Let's Talk
Tess head 5 min