ISO 27001 Frequently Asked Questions

Security Officers commonly mistake annexure controls with the ISO 27001 standard clauses, thus thinking that certification is near impossible for their companies. The ISO 27001 certification recognises the ability for an organisation to manage their security risks and certification is not dependant on all annexure controls being implemented and matured.

In our experience, ISMSs are an invaluable tool to secure a repeatable flow of risk based security investment from the business. Since ISO 27001 requires security risks to be formally owned by business/executives the sole accountability for security is moved out of the IT department and shared with business.

Privasec has a very hands on approach and will built the entire ISMS for you. Limited but regular input will however be required from the management team. The risk assessment process is a one-time impact on operational staff and requires between 30-120 minutes of their time depending on their specific role.

SAI Global, BSI or Loyds are certification bodies. They conduct the final certification audits and therefore cannot consult and help you with the establishment of your ISMS.

Privasec is not a certification body and therefore cannot certify organisations. Your Privasec consultant will however act on your behalf at the audit and guide the primary auditee during the certification audit.

Privasec is an independent firm, not a technology integrator and does not partner with any vendors. Privasec does not mitigate risk on behalf of clients. Our aim is to assist our client’s through the remediation process and advise on suitable options and technologies where required. We may be able to, at the request of customer, carry out work if it falls within our service offering.