Analyze and benchmark your information security level based on international standards (ISO 27001, 27002, SANS 20, IEC 62443, NERC CIP, etc.) to plan security mitigation measures based on facts.

Assess your information and IT security landscape

Understanding and managing information and IT security in an organization can be a complex undertaking. Getting a bird’s eye view of your current information and IT security landscape is the foundation to understand where you are and what strategic and tactical steps need to be taken.

With our ISO security audits you can easily determine your organization’s information and IT security strengths and weaknesses, and derive measures to better protect your assets.

Oneconsult will support you with this endeavor applying relevant international information and IT security standards to assess your situation, taking into account your industry and organization-specific circumstances.

Key benefits:

  • Get a 360-degree view
  • Identify security gaps
  • ISO 27001 Lead Auditor / ISO 27005 Risk Manager team
  • Know where to invest
  • Get a benchmark
  • Comply with key standards
  • Increase security awareness

We have a team of certified ISO 27001 Lead Auditors / ISO 27005 Risk Managers. Depending on your requirements, our security audits may be carried out based on ISO 27001, ISO 27002 or your own methodology:

ISO 27001 Security Audit

ISO 27001 formally defines an Information Security Management System (ISMS). It is the only standard of the ISO 27000 family by which organizations can get certified. Whilst the ISO 27002 audit focuses more on the practical implementation of controls, the ISO 27001 security audit looks at the management of the ISMS itself, and reveals the key gaps which would need to be addressed for an ISO 27001 certification without looking at the specific information security controls.

An ISO 27001 security audit is ideally accompanied by an ISO 27002 security audit. The ISO 27001 questionnaire has been developed by Oneconsult and covers:

  • 7 domains
  • documentation requirements for an ISO 27001 certification
  • 1 role (security officer/compliance officer)
  • To be filled out by 1-3 pre-defined representatives
  • Automatic visual summary including radar chart
  • May be re-used within the same organization free of charge (for benchmarking purposes)
  • Serves as the basis for the final report (in PowerPoint for easy re-use within the organization)
  • Allows completing the project with an effort of 8+ man days, including:
    • Kick-off workshop
    • Customization of questionnaire
    • Normalization of responses
    • Evaluation and analysis
    • Write-up of final report with detailed findings and recommendations
    • Presentation of project results
ISO 27002 Security Audit

The ISO 27002 security audit covers all domains of ISO 27002 (Code of practice for information security controls) and complies with ISO 27001 (Annex A). It is based on a questionnaire which has been developed by Oneconsult and been successfully tried and tested in a wide variety of organizations:

  • Excel file with 172 questions
  • Covering the 114 controls of ISO 27002
  • 4 roles (employee, management, ICT department, security officer)
  • Each role is associated with a specific subset of questions
  • To be filled out by a total of 10-20 pre-defined representatives
  • Automatic visual summary including radar chart
  • May be re-used within the same organization free of charge (for benchmarking purposes)
  • Serves as the basis for the final report (in PowerPoint for easy re-use within the organization)
  • Allows completing the project with an effort of 8+ man days, including:
    • Kick-off workshop
    • Customization of questionnaire
    • Normalization of responses
    • Evaluation and analysis
    • Write-up of final report with detailed findings and recommendations
    • Presentation of project results
Customized Conceptual Security Audits

We adapt our security audit approach to meet your specific requirements based on your organization’s own:

  • Risk landscape
  • Internal and external attack scenarios
  • Assessment methodology
  • Specific standards

Instead of using a questionnaire-based approach, we can do on-site interviews with selected representatives and apply standards of your own choice such as SANS 20, IEC 62443, NERC CIP.

Approach: ISO 27001, ISO 27002 or other Standard-based Security Audit

ISO 27001, ISO 27002 Security AuditEach of our projects starts with a kick-off workshop to make sure we understand your goals and specific requirements and to introduce you to our methodology. The standard-based security audit may be split into the following phases:

  • Information gathering
  • Analysis and evaluation
  • Verification (optional)
  • Collation of results and recommendations

In the information gathering phase, we use our own standardized questionnaires, which we will adapt to meet your specific requirements and needs. You will then send out the questionnaire to pre-defined employees. Our specialists will analyze the filled-in questionnaires and make consistency checks. Verification of results is optional and may entail interviews, document reviews and technical tests (e.g. penetration test). Finally, we will summarize the results in a report and develop custom recommendations. You will receive:

  • Customized standard-based questionnaire
  • Radar chart with a high-level view of your security gaps
  • Report with detailed findings and recommendations
  • Benchmark to measure your progress
Standards

Depending on customer requirements and context, security audits may be based on different standards or recommendations.

Information and IT security standards:

  • ISO 27001 and 27002
  • ISO 27011 (ISO 27002 for telecommunications organizations)
  • ISO TR 27015 (ISO 27002 for the financial sector)
  • ISO TR 27019 (ISO 27002 for energy sector)
  • ISO 27799 (ISO 27002 in health informatics)
  • BSI-Standard 100-X (IT-Grundschutz standards)
  • SANS 20 (20 critical security controls for effective cyber defense, a subset of NIST SP 800-53)

ICS (SCADA / DCS) standards:

  • IEC 62443 (industrial communication networks)
  • NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection)
  • etc.
Effort

The standard-based security audit is a cost-effective approach to assessing your high-level information and IT security strengths and weaknesses so you can specifically plan your IT budget for security mitigation measures. Project effort starts from a few man days and may vary according to your requirements (such as questionnaire customization, number of filled-in questionnaires, number of interviews, verification needs, etc.).

ISO 27001 Security Audit Expertise

Since Oneconsult’s inception in 2003, we have conducted over 150 standard-based security audits. Amongst other qualifications, our conceptual security specialists hold CISSP, ITIL Foundation and ISO 27001 Lead Auditor / ISO 27005 Risk Manager certifications. Oneconsult AG is an ISECOM Partner (accredited trainer) and, based on the number of OSSTMM-compliant security audits, the leading security auditor in Europe.

For definitions of information and IT security terms please refer to our glossary.