ISO 27001 consulting
ISO 27001 certification is useful for organisations that need to manage and protect various types of data and whose operations are related to information security, such as the financial sector, healthcare, and information technology organisations, etc. In addition, it is essential for organisations whose cooperation with public, private or third sector organisations depends on effective compliance with information security standards.
Organisations can get ISO 27001 certified. The certification demonstrates to their customers and other parties that the organisation takes information security seriously and has implemented appropriate controls to protect data.
Advantages of the ISO 27001 standard:
The implementation of the ISO 27001 standard in an organisation is beneficial in several ways:- It helps organisations identify and manage information security risks that may arise from both internal and external sources.
- It provides a framework for the establishment and implementation of information security-related policies, procedures and technical measures.
- It helps organisations plan and prepare for disaster management and continuity of business.
- It helps organisations establish an effective Information Systems Management System (ISMS) that includes the collection, management, protection, retention and destruction of data.
- ISO 27001 certification demonstrates to customers, partners, employees and other parties that the organisation takes information security seriously and has implemented appropriate controls to protect data.
The need for and the obligation to have an information security management system (ISMS) in Estonia:
Based on the version of the Cybersecurity Act as amended in 2022, many organisations have the obligation to reorganise their information security management and bring it into compliance with the law by implementing an information security management system (ISMS) such as ISO 27001.The Cybersecurity Act sets a specific deadline for certain public, private and third sector organisations that are legally required to implement an ISMS (e.g. vital service providers, providers of essential services), and gives them a choice between two options:
- Create and implement an ISMS that is in compliance with the Estonian Information Security Standard (E-ITS) replacing the previously used ISKE baseline security system as of 2023.
- Create and implement an ISMS that complies with the internationally recognized ISO/IEC 27001 standard, and get and maintain a relevant compliance certification.
Why choose ISO 27001 certification?
ISO 27001 certification is widely recognized both in Europe and in other parts of the world. Certification of the organisation's information security management system to ISO 27001, and maintaining the certification, is an effective way to show the organisation's cooperation partners and the Estonian Information System Authority (RIA) that the confidentiality, integrity and availability of the data processed by the organisation is guaranteed in accordance with the ISO standard and the best practices in the field.ISO 27001 Consulting and Auditing offered by KPMG:
KPMG can assist clients with consultations on the implementation of the standard and with auditing and certification. KPMG issues ISO 27001 certificates in Estonia, providing also mandatory supervision audits in accordance with the ISO requirements. This ensures the continued compliance of the organisation's ISMS with the ISO standard and helps maintain the certification.Planning
Preliminary activities for conducting an ISO certification audit.Pre-certification assessment
Pre-audit assessment of the current state of the information security management system.Certification audit
Conducting a certification audit and preparing an audit report that includes a description of deficiencies. After a successful audit, the ISO certificate will be issued for three years.Follow-up audit
A follow-up audit is conducted every 12 months or in case of major changes to the ISMS.Consulting
ISO 27001 consulting begins with a gap analysis of the organisation's information security. Regarding the deficiencies identified during the analysis, we provide recommendations for the implementation of measures that enable the organisation to effectively bring its information security process(es) into compliance with the standard. In cooperation with the client, we prepare a detailed action plan to achieve compliance; where appropriate, KPMG can provide assistance in implementing the action plan (please see KPMG IT risk assessment service).Pre-audit
The certification process begins with a pre-audit. The purpose of pre-audit is to assess the ISMS implemented by the organisation and to establish whether it is ready to successfully pass the certification audit. After the pre-audit, the organisation has six months to remove the identified deficiencies and non-conformities and start the certification audit. If, after six months, the organisation is not ready for the certification audit because the deficiencies identified during the pre-audit have not been removed, the pre-audit must be conducted again.Certification audit and surveillance audit
There is a three-year certification cycle that comprises a certification audit and two surveillance audits, which must be carried out within two years following the year the certificate is issued. If the organisation wishes to maintain certification beyond the end of the third year, recertification must be performed. This requires a successful audit, and then a new three-year certification cycle begins.ISAE SOC2 and ISO 27001
Certification based on the requirements of ISO 27001 also ties in well with ISAE certification (please read more here: KPMG SOC2 (ISAE 3000 certification)). KPMG has a unique market position because we offer a service designed to provide assurance about the effectiveness of information security-related controls required by ISAE 3000 (SOC2 report) and an information security management system certification service according to the ISO 27001 standard. Simultaneous certification to two standards saves time and money as well as helps achieve certifications and meet well-known information security standards in both the European and US markets.Turn threats into opportunities
Provide a safe and sustainable business environment for your company! We will help you build a resilient and reliable digital world, even in the face of changing threats.
KPMG Baltics OÜ
+372 626 8700itaudit@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
Võta meiega ühendust
${i18n('ask_more')}
HR assessment
HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.
${i18n('ask_more')}
Threat assessment
Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.
${i18n('ask_more')}
Maturity assessment
Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.