ISO/IEC 27001 is the international reference standard for an Information Security Management System (ISMS). Increasingly required by customers, in tenders, by cyber insurers, or for access to certain export markets, SYAGA supports you from the gap assessment through to preparation for the certification audit.
ISO 27001 is not a general legal obligation, but it is becoming an unavoidable commercial prerequisite
ISO/IEC 27001 remains a voluntary approach. It is nonetheless increasingly required in tenders, by large customers, by some cyber insurers, or as a prerequisite for access to certain export markets.
The majority of SMEs and mid-sized companies have not undertaken any structured approach to an Information Security Management System. The topic is perceived as complex, technical, and lengthy.
Classic certification engagements tie up your teams for several months and represent a substantial investment, often out of reach for an SME.
Tying up the CIO or the security manager for months to build an ISMS is not viable in an SME where everyone already wears several hats.
A structured approach in 3 phases, based on the same methodology already proven by SYAGA on PSSI-Express
Scoping interview with management and the IT security manager, followed by a systematic assessment of each of the 93 security controls in Annex A (2022 edition), spread across the 4 themes: organizational, people, physical, and technological. Delivery of a factual gap report.
Drafting or updating the security policy (ISMS), the Statement of Applicability (SoA) justifying the application or exclusion of each of the 93 controls, and a prioritized remediation plan to close the gaps identified in phase 1.
Follow-up on the implementation of the remediation plan, documentary review, and preparation of your team for the audit carried out by an independent accredited certification body. SYAGA prepares you for the audit; the certification itself is issued by that third-party body.
The core documents of the ISO 27001 certification file
Factual assessment of your compliance level against the standard.
Central normative document of the ISO 27001 certification file.
The governance document required by clauses 4 to 10 of the standard.
The roadmap to close the identified gaps.
Documents directly applicable by your teams.
All documents in formats you can evolve.
The ISO 27001 ISMS naturally overlaps with several frameworks
Central framework: clauses 4 to 10 (management requirements) and Annex A (93 security controls spread across 4 themes).
The cyber risk management measures required by the NIS2 directive largely overlap with the Annex A controls of ISO 27001. An ISO 27001 ISMS makes NIS2 compliance easier for entities in scope.
The measures in the IT hygiene guide published by ANSSI (the French national cybersecurity agency) overlap significantly with the Annex A controls of ISO 27001. Correspondence documented in the remediation plan.
The appropriate technical and organizational measures required by Article 32 of the GDPR rely on the same good practices as Annex A of ISO 27001 (access control, encryption, incident management).
Every ISO 27001 engagement is scoped according to your perimeter and current maturity level. Always a personalized quote.
Initial snapshot of your gaps
From gap assessment to audit preparation
After certification or on an ongoing basis
Contact us for a personalized quote based on your scope and current maturity level.