While we tailor every assessment to meet each client’s unique requirements and challenges, our roadmap to compliance typically follows a five-phased approach that creates the general framework of each assessment. Our goal is to create an efficient, unobtrusive assessment so that you can focus on your business, and we can focus on your compliance.

Our team of professionals serves our clients by combining knowledge of industry standards and regulatory requirements with proven methodologies and tools to produce cost-effective, value added results. And what really sets us apart from our competitors is our highly personalized, client-centric level of service. We view ourselves as your business partner and treat our engagements as an opportunity to continuously improve your business processes, rather than a mere exercise in compliance.


Risk Assessment / Scoping

(Phase 1): The International Organization for Standardization (ISO) 27001 outlines specific requirements. Defining the scope of an ISO 27001 engagement involves understanding how your organization’s information security requirements and security objectives align with ISO 27001 requirements. We have years of experience working with nearly every industry and work with our clients to ensure that we cover the appropriate scope.

During this phase, the following areas will be covered:

4 Context of the organization

  • 4.1 Understanding the organization and its context
  • 4.2 Understanding the needs and expectations of interested parties
  • 4.3 Determining the scope of the information security management system
  • 4.4 Information security management system

8.2 Information security risk assessment

GAP Assessment and Fieldwork

(Phase 2): The GAP Assessment and Fieldwork activities are designed to assess how the company is currently aligned with ISO 27001. By conducting a thorough gap analysis and field work activities, our consultants will assess the current control environment by identifying strengths and providing recommendations for areas that need improvement. As part of our detailed recommendations, we will provide a prioritized listing of controls that should be considered for implementation or enhancement prior to finalizing the assessment.


  • This is a series of interviews with management and process owners to confirm our understanding of the system and flow of transactions, identifying existing controls and assessing how new controls could be implemented.

Testing of Controls

  • Through a combination of inquiry, observation and inspection procedures, the operating and design effectiveness of each control is assessed.
  • Testing results and observations are communicated to management.
  • Management responds to identified deficiencies (if applicable).

During this phase the following areas will be covered:

5 Leadership

  • 5.1 Leadership and commitment
  • 5.2 Policy
  • 5.3 Organizational roles, responsibilities and authorities

6 Planning

  • 6.1 Actions to address risks and opportunities
  • 6.1.1 General
    • 6.1.2 Information security risk assessment
    • 6.1.3 Information security risk treatment
    • The following control objectives and controls from ISO 27001 will be evaluated:
      • Security policy
      • Organization of information security
      • Human resources security
      • Asset management
      • Access control
      • Cryptography
      • Physical and environmental security
      • Operations security
      • Communications security
      • Systems acquisition, development and maintenance
      • Supplier relationships
      • Information security incident management
      • Information security aspects of business continuity management
      • Compliance


(Phase 3): As a result of our initial GAP Assessment and Fieldwork activities, management will receive a preliminary report with any deficiencies identified that need remediation.  Inc. will work with management as needed during the remediation phase of this engagement to ensure that new controls are implemented according to the requirements of the ISO 27001 standard. 

Management is assigned a secure file sharing folder where they can exchange documents securely with all project team members. Upon implementation of controls, the procedures are validated by the project team and updated in your final report on controls.

As part of the remediation, we will work with management to evaluate the following areas and develop management procedures where necessary and create a foundation for the continual management of your ISMS:

7 Support

  • 7.1 Resources
  • 7.2 Competence
  • 7.3 Awareness
  • 7.4 Communication
  • 7.5 Documented information
  • 7.5.1 General
  • 7.5.2 Creating and updating
  • 7.5.3 Control of documented information

8 Operation

  • 8.1 Operational planning and control
  • 8.2 Information security risk assessment (ongoing)
  • 8.3 Information security risk treatment

9 Performance evaluation

  • 9.1 Monitoring, measurement, analysis and evaluation
  • 9.2 Internal audit
  • 9.3 Management review

10 Improvement

  • 10.1 Nonconformity and corrective action
  • 10.2 Continual improvement

Certification Assistance

(Phase 4):  Implementing an ISMS is only part of the ISO certification; in addition, you are required to have an evaluation completed by a registrar. We will assist management with the coordination and communication of this examination to ensure that management is efficiently and accurately communicating with the third-party assessor.

Internal Audit and Monitoring

(Phase 5): After you have put into place your ISMS, we will work with management as need to provide internal audit support and monitoring procedures to meet the ongoing evaluation requirements as a part of your ISMS. We will assist with regular risk assessments and act as an internal audit department to monitor your ongoing compliance and improvement over time.

Questions? Contact Ben Osbrach and he’d be glad to help.

Ben Osbrach, CISSP / CISA / QSA

Latest Blog Posts

Skoda Minotti Also Offers

Retirement Planning