ISO 27001 Consulting Services

CIMA's History as a Premier ISO 27001 Consulting Services Provider

Iso 27001 pointer icon on white background

CIMA has been offering ISO 27001 consulting services since our doors opened in 2005, and later complemented this by adding ISO 27001 certification training services in 2010 in partnership is a global certification body. Our staff has been using this standard in operational roles prior to CIMA, since it was first adopted by ISO in January of the year 2000, and as the British Standard (BS) 7799 prior to that. So, unlike many other consultancies, CIMA has using it on both sides of the fence, as an internal organizational security leader establishing an Information Security Managment System, and now as external expert consulting services provider. We rountinely get short listed in bids against big four (4) management consulting firms on engagement with medium and large companies, and work with many tech and other start up companies. This page highlights some of the key areas that clients typical engage our ISO 27001 consulting services for. 

What is ISO 27001?

ISO 27001 is a globally accepted standard adopted by 165 countries around the world, focused on the establishment and maintenance of an Information Security Management System, or more commonly referred to as an Information Security Program. The standard details specific elements or controls that need to be implemented in conjunctions with data security compliance obligations to unify and cohesively address information security management activity across an organization.

ISO 27001 Consulting Services

A group of computer monitors with names of various data security compliance standards and regulations, citing SSAE-18, SOC 2, SOX 404, GLBA . FFIEC, HIPAA, PCI-DSS, CERC-CIP, and boldly out front is ISO 27001 with the caption, "the information security umbrella framework for global data protection compliance."

Based on our proprietary structured methodology taught in our 5-day ISO 27001 Lead Implementer course, CIMA offers clients end-to-end services to support building, implementing, maintaining and continually improving an ISO 27001-based Information Security Management System. This includes helping you through the certification audit as well.

Our methodology is built around the "Demings Circle," more commonly known as the Plan, Do, Check, Act or PDCA model, designed to create a never ending and continually improving approach.

A Customized Approach for Every New Client

Having worked with many clients in a variety of industries including financial services, big tech, and foreign governments over the years, we know only too well that every organization is unique in its needs and capabilities. As a result, while we leverage our structured methodology, every client engagement is tailored to meet each client organization's unique needs. To address this, CIMA uses our four-staged client engagement approach.

Some clients need it all (end-to-end dedicated support), while others want to leverage internal resources but need experts to help them with only portions of the big picture. The diagram below is an illustration of some of the key areas we have supported client needs in an "à la carte" approach. The areas in this diagram are only representations of key areas, should not be considered a complete list of activities to build an Information Security Management System for ISO 27001 compliance.

CIMA's à la carte ISO 27001 key consulting support areas

A general overview of consulting support services can be found by clicking here!

Private On-site, Online or Blended ISO 27001 Implementation Training

Instructor speaking at the front of a group of students in a small classroom

To help get all key stakeholders on the same page before the project launch, CIMA's ISO 27001 consulting services can include providing private instructor led training. This will allow your team to learn about the standard, while allowing them to speak freely on relevant internal issues throughout the course, which would not be possible at public seminars involving students from other organizations. For larger organizations, we have setup multiple private onsite training sessions to accomodate teams with conflicting time commitments as well. We can provide our one-day ISO 27001 Foundations, our 5-day ISO 27001 Lead Implementer course, or create a custom course to meet your organization's unique needs.

ISO 27001 Control-based Gap Assessment

Quickly get a clear picture on your ISO 27001 compliance status using CIMA to perform a thorough gap assessment of mandated controls, as well as our add-on service to assessment employee competency for those supporting the organization's information security management system.

Our gap assessment not only assesses compliance, but using a custom capability maturity model aligned with requirements of the standard, we also include a control-based maturity rating to determine the depth of compliance and avoid false confidence in the organization level of compliance to the standard.

A man jumping from one side of a platform to the other, with a gap in the middle

Information Security Risk Assessment Methodology Development

A man is standing in front of a virtual risk matrix wall with a blue background

One of the key areas at the forefront of any ISO 27001 implementation is to develop an ISO 27001 / 27005 compliant risk assessment methodology or process. The challenge for many new comers to the the ISO 27001 world is that a risk assessment must be performed at the forefront, and the standard mandates that when performing these and other key security management activities, the approach must be able to yield accurate, complete and repeatable results. In the absence of a documented and standardized approach that is also compliant with the ISO 27005 risk management framework, this is a very hard task to accomplish.

With our proprietary methodology that not only meets the requirements of ISO 27005, but also the general requirements of NIST 800-30 / 37 R2 and the Canadian Harmonized Threat Risk Assessment, we can prepare a customized licenced version to get you up and running quickly. Make sure your Information Security Management Program start on a solid foundation.

SecureTeam™ - A Hosted Employee Information Security Training Solution

One of the key requirements related to ISO 27001's mandated Awareness and Training obligations for organization claiming compliance to the standard, is to provide all organizational employees with foundational information security training. So, not only can we help you build your entire organizational Awareness and Training Program, but we can also help you address training employee information security training needs. To assist clients to meet this obligation, in 2006 we developed SecureTeam™, a custom e-learning package. In 2022, CIMA coverted this product to a Software as a Service in response to demand by small tech start up companies.

SecureTeam™ is a customizable e-learning solution designed to train geographically diverse employees in a cost effective manner, while addressing policy issues orginating from ISO 27001 controls. Clients get regular reports from the system to monitor employee progress and completion. For complete details, please visit our product page by clicking here or on the product image to the right.

Four people of different colors representing diversity in backgrounds coming together as a team with one arm around the other in a circle

ISO 27001-based Information Security Governance Development

To help clients get up and running with their Information Security Management System, as part of our ISO 27001 consulting services, we specialize in developing your organization's complete set of Information Security Governance, including the program's information security charter, policy, standards, processes and procedures. We offer both custom build governance from scratch where the client owns the intellectual property upon client's acceptance of the deliverables, as well as offering a licensed custom developed set from our governance templates at significantly reduced time and cost. The latter is especially appealing to our tech start up and medium sized clients, as well as those with a short window of time to achieve certification due to compliance obligations. 

No matter what your circumstances are, we can help you get the information security governance in place that will get you to pass that certification criteria.

An image with a blue background and a wheel with multiple labels on it in a circular fashion, with words such as compliance, laws, policy, security and more

ISO 27001 Control Implementation Support

a man in front of a virtual screen reviewing information on the screen

Once the full scope of controls is understood, we can help your operations teams implement or provide guiding support for controls required to help meet your compliance obligations. 

Support is available for both traditional and cloud-based system. As part of this service we can document technical or functional requirements, assess technical solutions for the righ fit, assist or support your personnel in their implementation, and create operational procedures for these systems, mandated by the standard.

Information Security Metrics Program Development

A mandatory requirement of the standard is the development, implemenation and ongoing maintance of a security metrics or performance management program, for controls implemented under the organization's Information Security Management System.

Using our proprietary methdology for Security Metrics Program development, we will work with our team(s) to define performance measurements and define a standardized process and supporting procedures for defining and gathering of measurements, analysis and subsequent reporting, to determine their operational effeciency and the Information Security Management System's overall performance against established objectives.

a room with virutal walls and a floor with charts and graphs

ISO 27001 Internal Audit Program Development Support and Outsourced Services

a collage of images of people in busienss attire doing various activities in a business setting

A mandatory requirement of the ISO 27001 standard is the development of an Internal Audit Program focused on auditing the controls of the Information Security Management System. Using our proprietary tools, we will develop and license a custom Internal Audit Program set to help your organization meet the mandatory requirements of ISO 27001 and 19011, among others. 

We'll help to setup your Internal Audit Program, with a our proprietary document process, forms, job and competency descriptions, and others mandated by the standards.

If you are not ready to establish this service internally, we can assist through our outsourced offering, ensuring your ongoing operational compliance. As your organization grows and you are ready to take add this service to your internal teams, we'll be happy to get your new employees up to speed and ready to take over the reigns when it makes sense to the organization.

>