ISO 27001 Pre-Audit for an International Financial Technology Company
Customer
The Customer is an international B2C fintech company with offices in the US and Europe.
Challenge
To enable financial transactions for their clients, the Customer needed to comply with SOX, CCPA, GLBA, and other laws and regulations. To ensure the level of information security required by the regulations, the Customer needed to obtain the ISO 27001 certificate and wanted to check the readiness of their information security management system for the ISO 27001 compliance audit.
Solution
ScienceSoft’s team of 2 certified IT security consultants performed the gap analysis of the Customer’s information security management system in accordance with ISO 19011, an international standard for audits of management systems. They used ScienceSoft’s proprietary checklist built according to the requirements of Annex A controls of ISO 27001. The gap analysis took around 2 weeks. The analysis included:
- Interviewing the Customer’s senior management, as well as heads and employees of the Information Security Department, Legal Department, Software Development Department, and ICT Department to verify the Customer’s inner processes related to information security.
- Analyzing the Customer’s information security documentation needed for ISO 27001 compliance, including:
- Information security policy.
- Data protection policy.
- Access control policy.
- Information security incident management policy.
- Information security risk management policy.
- Physical security policy, etc.
ScienceSoft’s IT security consultants revealed the following gaps in the Customer’s information security documentation:
- Lack of documented policies needed for ISO 27001 compliance.
- Omissions of policy statements required for ISO 27001 compliance in the Customer’s existing documents.
ScienceSoft recommended the following remediation actions to the Customer:
- Eliminate omissions in the existing policies.
- Establish the missing information security processes required by ISO 27001 and develop policies for them.
At the finishing stage of the project, ScienceSoft conducted an online presentation to walk the Customer through the gap analysis results and answer their questions.
Results
The Customer received a gap analysis report similar to the ISO 27001 compliance audit report, containing discovered inconsistencies in their information security documentation and detailed practical recommendations on the remediation actions.
The report helped the Customer fill the gaps in their information security management system to prepare for the ISO 27001 compliance audit. Our IT security experts provided consulting support to the Customer during the gap remediation process.
Methodologies
Q&A sessions, analysis of documents.