Back to Service Library
Service Catalog / Strategic Advisory & Professional Services / Compliance Readiness / ISO 27001 – ISMS Continual Improvement
157ISOICI Base

ISO 27001 – ISMS Continual Improvement

On this page

    Service Overview

    This Statement of Work identifies the objectives, scope, methodology, deliverables, client requirements, and assumptions for all work to be completed by DeepSeas.

    Objectives

    The objectives of this initiative are as follows:

    Risk Assessment

    1. Identify and prioritize cybersecurity risks in the environment.
    2. Support protection of critical assets.
    3. Support compliance with legal, contractual, and regulatory requirements.
    4. Quantify findings so that they are universally understood and easily communicated.
    5. Develop a prioritized list of top risks and an actionable plan for risk mitigation.

    Internal Audit

    1. Validate Client's ISMS conforms to the requirements of the ISO 27001:2022 Standard for Audits
    2. Validate Client is adhering to their own audit objectives, criteria, schedule, and procedures defined by Client
    3. Validate the ISMS is effectively implemented, maintained, and continually improving
    4. Validate compliance with regulatory requirements
    5. Develop a prioritized Corrective Action Plan

    Methodology

    This Risk Assessment project consists of the following phases:

    1. INTERVIEW SCHEDULE
      1. The client will identify the departments and stakeholders required to attend interview sessions and a risk workshop by completing the interview schedule provided by DeepSeas.
    2. ASSET INVENTORY DEVELOPMENT
      1. The Client will develop an asset inventory with associated risk profiles to conduct the risk assessment. DeepSeas will consult on mapping assets to the risk workbook and the creation of risk profiles.
    3. RISK WORKSHOP
      1. DeepSeas to conduct a risk workshop with ISMS Manager & risk owners, as defined in the interview schedule, to evaluate vulnerabilities and quantify risks for all asset categories.
        1. Each vulnerability/weakness will be assessed on:
        2. Likelihood of a measurable event occurring from vulnerability exploit, and;
      2. Potential Impacts from vulnerability exploit.
      3. Vulnerability/weaknesses will be prioritized based on risk to the organization.
    4. DOCUMENTATION
      1. DeepSeas will develop a formal Risk Assessment Report.
    5. PRESENTATION
      1. DeepSeas will schedule a call with the Client to review all deliverables as part of the engagement.


    This Internal Audit consists of the following phases:

    1. PLANNING: Preparation necessary to conduct an effective internal audit, including:
      1. Scope Definition - Review the audit's objectives, scope, criteria, and procedures as defined by the Client. In the event these audit attributes are not defined, the lead auditor will define these for approval from the Client's IT management.
      2. Schedule Development - Review and agree on the audit schedule (dates, time, and places)
    2. ENGAGEMENT: Conduct the opening meeting while communicating and clarifying the following:
      1. Audit Plan including audit objective, audit scope, language, audit criteria including standards, regulatory, contractual, legal requirements;
      2. Communication channels, roles, and responsibilities;
      3. The audit process for collecting and verifying objective evidence;
      4. Generating and reporting of audit findings and conclusions including grading of non-conformities;
      5. Information about conditions under which the audit may be terminated;
      6. Information about an appeal system on the conduct or conclusions of the audit.
    3. AUDIT: Perform the audit through:
      1. Review of previous audit findings (if any) and corrective actions;
      2. Review of ISMS standards, processes, procedures, specifications, contracts, and other relevant documentation;
      3. Interviews with identified staff with audit findings summarized and agreed upon amongst the auditees;
      4. Review of verifiable objective evidence or records to demonstrate compliance with documented policies, standards, and processes (Note: Evidence will be collected by appropriate sampling and must be verified);
      5. Preparing work documents such as checklists and sampling plans.
      6. Review of on-boarding and off-boarding
      7. Review SDLC, access reviews, procedures, physical controls, compliance requirements.
    4. PRESENTATION: Conduct Closing Meeting:
      1. Evaluate the audit evidence against the audit criteria to generate audit findings. Audit findings will indicate non-conformities with audit criteria and opportunities for improvement.
      2. The audit findings and conclusions will be presented in a manner that is understood and acknowledged by the Client auditees and, if appropriate, agree upon the timeframe for corrective action.

    Deliverables

    DeepSeas will produce the following deliverables for the Risk Assessment:

    1. RISK ASSESSMENT REPORT - DeepSeas will deliver a risk assessment report with details pertinent to identified risks and the recommendations for remediation.

    DeepSeas will produce the following deliverables for the Audit(s):

    1. SUMMARY FINDINGS - DeepSeas will provide an ISO 27001:2022 Audit Report to address:
      1. The extent of conformity of the management system with the audit criteria;
      2. The effective implementation, maintenance, and improvement of the management system;
      3. Audit follow-up as needed;
      4. Corrective and Preventive Actions
      5. Corrective Action Form Approval

    Service Assumptions

    PROJECT-SPECIFIC ASSUMPTIONS

    • Operational Security Program Management
    • Annual ISO Risk Assessment
    • Annual ISO Internal Audit
      • Includes one (1) location in the audit scope per surveillance year
    • Consulting Hours/Working Session
      • Twenty (20) hours annually