Regency ISO27001 Certified Again

We are again extremely pleased to announce that, as of 12th April 2018, Regency IT Consulting maintained its ISO/IEC 27001:2013 certification for another year.

Information security management and successful certification remains a strategic goal for Regency. This year’s Continuing Assessment, again undertaken by the British Standards Institute (BSI), is the 8th consecutive successful annual assessment against our Information Security Management System (ISMS) scope, which includes the Regency Office IT, Managed Encryption Service and Secure Data Centre.

Regency achieved this certifcation, with just a small handfull of minor points being identified which is testament to good business practice throughout the company, combined with an appropriate sense of security for the information we process.

We claim this publicly because of course this is kudos for Regency, but we consider certification against the Standard as “bread and butter”. How else could we show face to our customers working, with our help, towards their own ISO/IEC 27001:2013 Certification.

For Our Customers

For almost 12 years now, Regency consultants have been helping customers advance their security strategies towards ISO/IEC 27001:2013 certification and we’ve perfected a project delivery model.

We usually carry out a 2 or 3 phased approach to certification.

Phase 0

Phase 0, summarised in the graphic below, provides the customer with the opportunity to determine whether they like us or not – although we’ve never not started Phase 1!

The phase is fairly quick, perhaps 5 to 10 days’ effort depending on the size and complexity of the organisation; we’ll assist with the production of a Project Initiation Document (PID) so that buy-in can be formally sought from organisational leadership. We’ll help you to identify a Project Team, for the implementation of the ISMS, and an ISMS Team, that will endure the long anticipated life of the ISMS. We’ll then suggest a Project Plan to identify the resources required for the project. We will present some Risk Management methods to you for consideration, and, with your input, we will model the scope of the ISMS and catalogue your information assets and processes. During the phase we will also provide you with a review of any existing information security related documentation that you have and we’ll tell you if it’s suitable for a certifiable ISMS. By this time through the dialogue you will have had with our consultants, you will have had sufficient guidance on how to conduct an information risk assessment, so that, if you choose, you could continue your certification journey without us and go about assessing information risk under your own steam – although preferably, you will ask us to stick around and assist with Phase 1.

Phase 1

The end of Phase 0 initiates Phase 1, as per the diagram below.

In this phase we work with the Project Team to continue and finalise the Information Risk Assessment. We then draft an Internal Audit Programme, which we will test and adjust as we continue throughout Phase 1. Throughout this phase we will have started to prepare some of the high level documents needed for your ISMS (or redraft yours if necessary). We will provide ongoing analysis of what has been produced and what you and we will continue to produce going into Phase 2. We will conclude Phase 1 with the production of a Detailed Statement of Applicability (DSoA). The DSoA describes the implementation of the ISO/IEC 27001:2013 Annex A Controls. We will work with you to provide you with ideas of what good looks like and what would be seen to be acceptable. Throughout our engagement we will advise on the intricacies of ISO27001:2013, for instance in explaining that none of the Standard is mandatory; that the Standard is simply a guide to be used in the implementation of an ISMS, that not implementing all 114 Controls of the Standard is okay, as long as residual risk due to unimplemented security controls are understood and accepted at an appropriate level within the organisation.

Phase 2

If you still like us at this point, we will help you move onto Phase 2 – as per the diagram below.

This phase kicks off with the production of the Risk Treatment Plan (RTP). With your support, we will iterate the RTP and the DSoA to ensure that the risks we have assessed are being treated by the implementation of sufficient (but not excessive) controls. We will use template documents from our own ISMS library and adapt them to suit your needs. The entire ISMS documentation set cannot, of course, come from Regency, there needs to be full support from the organisation’s Project Team to develop specialised documentation to form part of your ISMS, or to support it. We will work together to produce Training and Awareness material, and we will by this point in Phase 2 be firming up your Internal Audit Programme, at which point we will commence, using Regency ISO/IEC 27001:2013 qualified Lead Auditors, a full audit of your ISMS. More testing and adjusting may be required at this point. We will assist in your application for the support of a UKAS-accredited Certification Authority and we will lead or support the Certification Audit. If your ISMS fails to initially certify and where you have taken all Regency’s advice into account, Regency will, under our own steam, continue to work with you to rectify any weak areas and will again lead or support your re-Certification Audit until which point you gain certification.

Next Steps

If your organisation is seeking a stronger information security foothold, if you have government or large corporate customers and feel that your credibility would be enhanced by certification against the Standard, or if you simply promise your customers the best in the way of information security, then give us a call  on 01242 225 699 to discuss how our model can be used to support you or drop a line to enquiries@regencyitc.co.uk